Wednesday, April 26, 2006

Return on Security Investment

Just today I mentioned that there is no such thing as return on security investment (ROSI). I was saying this two years ago. As I was reviewing my notes, I remembered one true case of ROSI: the film Road House. If you've never seen it, you're in for a treat. It's amazing that this masterpiece is only separated by four years from Swayze's other classic, Red Dawn. (Best quote from Red Dawn: A member of an elite paramilitary organization: "Eagle Scouts.")

In Road House, Swayze plays a "cooler" -- a bouncer who cleans up unruly bars. He's hired to remove the riff raff from the "Double Deuce," a bar so rough the band is protected by a chicken wire fence! I personally would have hired Jackie Chan, but that's a story for another day. Swayze's character indeed fights his way through a variety of local toughs, in the process allowing classier and richer patrons to frequent the Double Deuce. The owner clearly sees a ROSI; the money he pays Swayze is certainly less than the amount he now receives from a more upscale establishment.

Is there a lesson to be drawn for the digital security world? Notice the focus on threats. The Double Deuce owner didn't hire Swayze to build higher walls or cover windows with iron bars. Instead of addressing vulnerabilities, he sought threat removal. This is not a process the average company can implement; usually law enforcement and intelligence agencies have this power.

I have heard the term "friendly force presence" being used within certain military circles. This seems to refer to keeping assessment teams on the lookout for indications of the adversary on our networks. This certainly works in the physical world, but it may be difficult to translate into the virtual one.

One example: when I visited Ottawa recently, I stopped at a McDonald's to get a quick meal. The place was teeming with teenagers, most of whom were just lounging around. I considered leaving because the place was so full. I saw a manager appear a few minutes after I arrived, and with him came a uniformed police officer. The officer had a word with one or two of the larger teens and suddenly the restaurant started to empty. Within five minutes hardly anyone was left, and no one under the age of 18. It was amazing.

3 comments:

Anonymous said...

what you illustrated was the power of colloboration between commercial entities and law enforcement entities. Without knowing where to focus law enforcement is to use a poor term "hearding cats". Looking over a physical environment is pretty easy from the perspective of a bar or resturant and calling in enforcement personnel is easy enough. Digitally the overview of the posture is a bit more difficult but there are plenty of tools out there to help this situation. The tougher part is convincing people that is is worth the effort to clean up the mess. This is becoming easier over time but we're still in the "wild west" days of the internet so I don't expect things to change overnight.

jbmoore said...

It may be easier to use misdirection and aggressive attack tactics. Misdirection in the case of honeypots - traps to lure the bad guys that appear vulnerable and exploitable. Aggressive tactics will only work with known entities, i.e. other governments' intelligence agencies. You attack their networks and keep them busy reacting to your attack so that they don't have time to attack your network. The latter will not work with amorphous entities like cybermafia, maverick hackers and such. It's equivalent to minimizing your risk of breakin if you are a normal person or businessman. You hope your security is adequate until a burglar proves you wrong.

John Ward said...

Patrick Swayze? Masterpiece? There is so much I could say...