Friday, August 15, 2008

Microsecurity vs Macrosecurity

I found the following insight by Ravila Helen White in
Information Security and Business Integration
to be fascinating:

Economists figured out long ago that in order to understand the economy, they would have to employ a double-pronged approach. The first approach would look at the economy by gathering data from individuals and firms on a small scale. The second approach would tackle analysis of the economy as a whole. Thus was born micro and macro economics.

We can make information security more consumable by taking a page from economics. If we divide information security in the same manner as economics (its analytical form), we get micro information security and macro information security.

Micro information security is the nuts and bolts that support an organization's information security practice. It's the technology, controls, countermeasures and tactical solutions that are employed day-to-day to defend against cyber threats. It's a step-by-step examination of information security for educational purposes and to facilitate discussion with our peers.

Macro information security is the big picture and can be utilized to keep management in the loop. It's the blueprint, framework, strategic plan, road map, governance and policies designed to influence and protect the enterprise. It's the bottom line.

Macro information security also extends externally to support partners and customers as well as ensure compliance with regulations. Internal organization extension includes support of convergence programs and includes alignment to business goals and objectives.

Macro information security enables security leaders to align themselves and the program(s) they oversee with the business. It bridges information security vernacular with traditional business acumen. When used correctly, macro information security can be the tool that equals success. And, success is being invited back to the table again and again.


I like this separation, although I am not as comfortable with the exact definitions. If you're fuzzy about the difference between microeconomics and macroeconomics, Wikipedia is helpful:

Microeconomics is a branch of economics that studies how individuals, households and firms make decisions to allocate limited resources, typically in markets where goods or services are being bought and sold.

Microeconomics examines how these decisions and behaviours affect the supply and demand for goods and services, which determines prices; and how prices, in turn, determine the supply and demand of goods and services.


Macroeconomics is a branch of economics that deals with the performance, structure, and behavior of a national or regional economy as a whole... Macroeconomists study aggregated indicators such as GDP, unemployment rates, and price indices to understand how the whole economy functions. Macroeconomists develop models that explain the relationship between such factors as national income, output, consumption, unemployment, inflation, savings, investment, international trade and international finance.

The differences are striking and the distinction helpful. I don't think anyone thinks of a microeconomist in a negative light because he or she doesn't dwell on the "big picture" macroeconomic view. It's simply two different ways to contemplate and explain economic activity.

We have a separation of sorts in the security world. Macrosecurity types like to think about aggregate risk, capturing metrics, and enterprise-wide security postures. Microsecurity types prefer to focus on individual networks, hosts, applications, operating systems, and hardware, along with specific attack and defense options.

I think I prefer microsecurity issues but spend time on the macro side when I have to justify my work to management.

1 comment:

Davi Ottenheimer said...

nice post, but i have traditionally used macro-security to refer to state-level controls and micro-security to be corporate or sub-state.