Bruce Schneir is the go-to security expert for business leaders and policy makers. He is the author of numerous books and publications. One of my favorites is Beyond Fear: Thinking Sensibly about Security in an Uncertain World (2003). In this book, he makes the good point that security is complex, but complex things can be broken down into smaller and simpler steps. He came up with a five-step process to analyze and evaluate security systems, technologies, and practice. The five steps are as follows:
1. What assets are you trying to protect? The most basic question that many people forget to ask. The question involves understanding the scope of the problem. It involves understanding the particular “system” and boundaries you are attempting to protect. Different systems have different problems that require different solutions.
2. What are the risks to these assets? What are you attempting to defend? What are the consequences if it is attacked successfully? Who wants to attack it? How might they attack it? Why are they interested in attacking it?
3. How well does the security solution mitigate those risks? Another seemingly obvious question, but one that is frequently ignored. If the security solutions don’t solve the problem, it’s no good. It is important to think and evaluate how the security solution interacts with everything around it, evaluating both its operation and failures.
4. What other risks does the security solution cause? This is basically the problems of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
5. What costs and trade-offs does the security solutions impose? Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
Schneir has several good observations and comments. Security is a tax on the honest. Schneir writes the following:
“Security permeates everything we do and supports our society in innumerable ways. It’s there when we wake up in the morning, when we eat our meals, when we’re at work, and when we’re with our families. It’s embedded in our wallets and global financial network, in the doors of our homes and the border crossings of our countries, in our conversations and publications we read. We constantly make security trade-offs, whether we’re conscious of them or not: large and small, personal and social. Many more security trade-offs are imposed on us from outside: by governments, by the marketplace, by technology, and by social norms. Security is a part of our world, just as it is part of the world of every other living thing. It has always been a part, and it always will be.”
The Counter-Terrorism Puzzle: A Guide for Decision Makers (2005) by Boaz Ganor is another good book (the Israelis have the market on security and terrorism books and manuals). Ganor thinks the following are unique characteristics of security and counter-terrorism - - interdisciplinary problem; ambiguous boundary between the front line and the home front; the direct and indirect impacts of terror; the types of terrorism; the test to leadership that is embedded in terror; trade-offs and other conflicts of interests, and the levels of the war of terrorism and enhanced global security requirements. I am currently reading A High Price: The Triumphs and Failures of Israeli Counterterrorism (2011) by Daniel Byman.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.