Shostack + Friends Blog Archive


The Best Question In Information Security

Ian Grigg seems to have kicked off a micro-trend with “The most magical question of all — why are so many bright people fooling themselves about the science in information security?.” Gunnar Peterson followed up with “Most Important Security Question: Cui Bono?” Both of these are really good questions, but I’m going to take issue with Gunnar’s claim. Who benefits is a great analytic tool to bring to the table, but it’s not the most important. The most important question isn’t even “Are you getting the outcomes you want?” or even “Are your controls producing the outcomes you want?

I really like both of those questions, but I don’t think they quite capture the position of best. They’re better than many, which is an important step forward. But we can still do better. Security isn’t something people want in and of itself. It’s a property that you want for things. In the same way that people don’t go and buy a usability product, they don’t really want to buy security products. They might buy a reliability product (like a fail over system, or a high availability storage system), but they’re buying it to enable something else. And even as we work on our speciality, and even as I think it’s important, it’s part of the business, and so my proposal for today’s most important question in to ask security is:

How’s that working out for you?

It’s sad how often that brings smart folks in security to a dead stop. We can and should do better, and I think that “How’s that working out for you” helps us get better outcomes faster than “qui bono.”

And I’m optimistic that someone will say that question isn’t working very well for them, and offer up something better.

4 comments on "The Best Question In Information Security"

  • Gunnar says:

    I agree – Are you getting the outcomes you want? is a better question than cui bono (tho yours loses the cool Latin thing).

    If we can add – Are you getting the outcomes you want *and* do you feel confident about getting those outcomes in the future? Then I will vote for that.

  • jared says:

    Gunnar, Your add is great. For me, I alter it a bit to read, “are you getting the outcomes you want and how do you feel about getting in the future.
    Using the new school tactics I like to make a case how the control landscape should adjust to the threat landscape.
    I’m ok with the business choosing not to change. I’m not ok with being surprised.

  • jared says:

    oops, forgot greater/less than symbols are html tags… I meant to say, โ€œare you getting the outcomes you want and how do you feel about getting *new predicted outcomes* in the future.”

  • Russell says:

    Contrary to my contrary nature, I’m going to agree with everyone!

    Ian’s great question focuses attention on why all the time, money, and brilliance invested in purely engineering solutions haven’t made us more secure. (Ian uses the term “security as a science” to mean crypto algorthms, purpose-built security devices, trusted computing architectures, etc., which I call “engineering solutions”). If your only tool is a hammer, every problem looks like a nail. When in doubt, get a bigger hammer.

    Gunnar’s “Cui bono?” question puts a spotlight on the incentive systems that perpetuate this unproductive cycle, and also other maladaptive cycles in Information Security. The best way to break the cycle is to change the incentives.

    Sir Adam’s great question is the ultimate test for all InfoSec efforts — “how’s it working for you?”. I like Gunnar’s and Jared’s adds because the emphasize the forward-looking nature of security decisions, plus the essential uncertainties and necessity of continuous learning.

    OK now… how about a group hug!!! ๐Ÿ™‚

Comments are closed.