Don’t fall into the security trap of only focusing on the weakest link

Don’t fall into the security trap of only focusing on the weakest link
Andy Boura, is an unapologetic technology, science, and business geek. He brings technical depth of knowledge together with broad development process, business, and management experience. This allows him to take a holistic view of technology, information security and risk management, and engage both technical and business groups. He advises on enterprise and technical security architecture of internally developed and third-party applications; and contributes to architectural security strategy, policies, and standards.

(c)iStock.com/Expose-GmbH

“Your security is only as good as the weakest link.”

We’ve all heard it said; perhaps we’ve even said it ourselves. But I have a problem with this saying.

It tends to imply that you should focus on the weakest link which often isn’t the case especially if, in the case of PBCaK – problem between computer and keyboard – the weakest link is hardest to solve. It’s not necessarily the issue that’s going to give you the quickest ROI and risk reduction – and it’s also usually mathematically inaccurate.

It’s not that the analogy is bad – infact it’s very good – it’s just often used incorrectly. Consider this scenario:

So, if your security is only as good as the weakest link, and the weakest link (risk 3) has an annual likelihood of 15%, you have a 15% chance of a breach in a year, right? Wrong. Your security is infact the combination of the weakness of every link.

The simplest way to avoid a breach is to calculate the likelihood of not being breached, and then  converting this into the breach likelihood by subtracting from 1. So, in this case, the probability works out as:

1-(1-L1)x(1-L2)x(1-L3)x(1-L4)x(1-L5)
= 1-0.9×0.9×0.85×0.9×0.9
= 1-0.56
= 0.44

In other words, there is a 44% chance you will be breached in the next year in the illustrated scenario. Note that this is less than the sum of the likelihoods which would be 55% – if you toss a coin with 50% likelihood of tails twice you are not guaranteed to get a tails, even though the likelihood sums to 100%.

The key is to take a holistic view rather than focus on the weakest link – as many of us have been encouraged to do by the misleading adage. Otherwise, you may be ignoring other issues that in aggregate could be more significant, and may be more tractable.

 

https://www.iottechexpo.com/northamerica/wp-content/uploads/2018/09/all-events-dark-text.pngInterested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *