commentary On his Web site, Bruce Schneier describes himself as "an internationally renowned security technologist and author". If Schneier is indeed the "guru" certain parts of the media portrays him to be, when why when interviewed by ZDNet.com.au's sister site Builder AU, did he reveal himself to be so clueless?
In order to watch video content you need to enable javascript and install Flash player version 8 or above.
In the video clip above, Builder AU editor Chris Duckett asks Schneier "why security cost justifications are complete bullshit?" While Duckett isn't known for pulling punches, he's actually quoting Schneier here.
At first, Schneier's explanation of ROI seems sensible, he talks about "measuring the cost of an attack" and "working out the probability of an attack". He then rightfully points out that "it's how all insurance companies build their business models."
But then things get kooky. "This fails when you have very, very rare and very, very expensive events," explained Schneier. "If you have taken any infinity theory — which I don't recommend — you are effectively multiplying zero by infinity."
Now perhaps I don't understand the complexities of Schneier's maths, but if a security threat has a zero probability of occurring, it seems to me that it isn't a security threat. Further, why are you multiplying by infinity? What security attack could possibly have infinite cost? Businesses have a finite value, just as there is a finite amount of money in the world.
Schneier makes a valid point by saying that calculating probabilities and costs of an ROI model is difficult — but it's really nothing a little maths can't solve. Speaking of maths, Schneier goes on to argue that small changes in probability can "completely perturb" IT budgets. Sounds scary.
"If the chance of you being attacked are say one in one million, and I change that to one in two million, who cares? I've suddenly halved the amount of money you should spend... I can completely perturb your budget," he says.
OK, so let's do some maths. Let's take Schneier's example and apply it to a small IT company worth AU$8 million. Let's take the worst case scenario and say that our theoretical one-in-one million attack will cost the complete value of the company.
In this case, the IT company should spend AU$8 dollars defending against the attack — the probability multiplied by the cost. If this probability moves to one-in-two million, then the company should spend AU$4 defending against the attack. As the probabilities get smaller — and harder to calculate — the cost variation become less significant.
If fact the truth is the opposite of what Schneier says — ROI is a problem when attacks have a very high probability of happening, not a very low probability.
To give a practical example — say you buy a shiny new Porsche. It's in all likelihood easier to insure the car against being struck by lightning than to insure it against theft. This is because the cost/probability ratios in insurance are much better for rare events. That is, insuring against rare events costs less.
However, this brings us to another problem with Schneier's argument. If an attack has a high probability of occurring, then it is easy to quantify because such attacks are common and lots of data exists to extrapolate their probability.
Not only that, but you can also calculate the uncertainties in your value, giving you an idea of how accurate any probability is. In probability analysis, values without measured uncertainties are considered meaningless, as any actuary will tell you.
So you can construct meaningful ROI models, because rare events are cheap and common events can be predicted.
Last time I checked, insurance was a multi-billion dollar industry, and remains very lucrative. It is built around the very laws of probability that Schneier disputes.
Disclaimer: Unlike Schneier, I am not an "an internationally renowned security technologist", just a dumb mug journalist. If you want to defend him, please do so in talkback below.
Alex, there is probably a reason why you're not internationally renowned. Bruce is indeed internationally renowned, has released several textbooks on security, innumerable papers and has been the keynote speaker at virtually every security conference worldwide at some point in time.
You seem to be extrapolating beyond what Bruce has said and then attack this point you've assumed he meant. Please stop with the straw-man argument, it makes you look either exceedingly stupid, or like you've got some hidden agenda. Which one is it?
As for Bruce's comment about infinity and zero, if you had any background in mathematics, you would realise that he was saying that as the probability approaches zero, the cost approaches infinity. Your argument of 'no threat has zero probability' and 'it will never have infinite cost' is the limit case. The point Bruce was making was that with the risk-cost set up in this manner, the closer you get to the limit case the less accurate predictions become at a given precision.
As for your argument on insurance, when Bruce talks about cost, he doesn't talk about insurance costs, he is talking about the cost to a business should a security breach occur. The insurance cost is the opposite, so your arguments are actually pomoting Bruce's argument to anyone who's done basic mathematics in highschool.
Please do some research into the field before attacking one of the greatest minds in it. You attacking Bruce would be like me attacking Stephen Hawking about his ideas on astrophysics. Drop the hidden agenda and just report on the news, please.