Don't focus on the weakest link; correctly combine likelihoods
Your security is only as good as the weakest link
We've all heard it said; perhaps even said it. Why do I have a problem with this? It tends to imply that you should focus on the weakest link which often isn't the case - especially if the weakest link is hardest to solve (e.g. PBCaK). It's not necessarily the issue that's going to give you the quickest ROI (return on investment) and risk reduction. It's also usually mathematically inaccurate. It's not that the analogy is bad, in fact it's very good, it's just often used incorrectly. Consider this scenario:
So if your security is only as good as the weakest link. And the weakest link (Risk 3) has an annual likelihood of 15% you have a 15% chance of a breach in a year, right? WRONG!
Your security is in fact the combination of the weakness of every link
The simplest way is to calculate the likelihood of not being breached, and then converting this into the breach likelihood by subtracting from 1. So in this case the probability works out as:
1-(1-L1)x(1-L2)x(1-L3)x(1-L4)x(1-L5)
1-0.9x0.9x0.85x0.9x0.9
1-0.56
0.44
In other words there is a 44% chance you will be breached in the next year in the illustrated scenario. Note that this is less than the sum of the likelihoods which would be 55%; if you toss a coin (50% likelihood of tails) twice you are not guaranteed to get a tails - even though the likelihood sums to 100%).
The key is to take a holistic view rather than focus on the weakest link (as many of us have been encouraged to do by the misleading adage). Otherwise you may be ignoring other issues that in aggregate could be more significant, and may be more tractable.
Thoughts, experience, and feedback always welcomed in the comments or via direct message.
Cheers
Andy
Want more news and thoughts on Information Security and emerging Science and Technology? Then please consider following me on twitter or LinkedIn by clicking the follow button above. You may also be interested in some of my previous posts.
@andy_boura
Technology, science, and business geek: Information Security Architecture, Risk Management, Software Development, Entrepreneurship, Business & Management.
Cyber Security Leadership and Strategy | CISO
9 年Bert, lack of defence in depth is certainly an important factor. Indeed there is a limit to what can be done but with careful design the risks can be reduced both by reducing likelihood and reducing impact should an incident occur.
Cyber Security Leadership and Strategy | CISO
9 年Ah, a honey pot, not a bad idea.
Using my proven knowledge/expertise in Administration to the advantage of a Great Employer. Unfluencer??
9 年A good article that illustrates the true statistical outcomes. Perhaps a thought would be that, in computer security terms, the weakest link is the link designed to trap people trying to breach the system.