The I&AM Reference Architecture must be based on the idea of the “Circle of Trust”. I take this notion from a paper published by John Arnold in 2006. In this context, “security” is interpreted as the definition, the establishment, the enforcement and the verification of trust. The I&AM domain is conceived in terms of “establishment of trust” under the “Selection” disciplines. Establishing trust requires activities such as access controls, account provisioning and role engineering.
The quadrants of the Circle of Trust can be defined as follows:
Direction: Definition of Trust, Operating Model, Governance
Selection: Establish Trust, Authorizations/Roles, Confidentiality
Protection: Enforce Trust, Perimeter/Access, Availability
Detection: Verify Trust, Compliance/Audit, Integrity
In turn, these four perspectives roughly map to four deep philosophical frameworks:
In the following lines I use these perspectives to frame the long-standing debate about investment in IT security!
I have been reading retrospectively the IT press for the past 10 years, in order to determine how the opinions have changed. What was the main problem being discussed in 2000? What was the main solution? I focused on investment levels, and on the ideas industry observers and specialists were discussing. I noticed that for about half the period I reviewed, the predominant opinion was that the investment levels were too low. In the second half, roughly, the opinion is that the investment levels are rising quite fast and probably reaching a plateau. There are the usual alerts about small and medium sized organisations were security investment is deemed still to be too low, but the consensus is that large organisations are now spending between 8 and 12 per cent of their IT budgets in information security. Paul Strassman, a long time analyst of IT security from the point of view of corporate management, even alerts that exceeding 10 per cent of the IT budget may indicate poor investment criteria and bad results. Along the period reviewed, there was a consistent effort from the side of the industry and even academia to substantiate investment in security. It seems to me that this effort was successful. This effort focused on the demonstration of the “return” of security investments. Several theories arose, but the dominant one was the so-called “risk-based security investment analysis”.
It is almost impossible to find a critical view of risk-based analysis, aside of the works by Donn Parker, G. S. Dhillon and J. Backhouse. See for example:
The dominance of risk-based security –which corresponds to the prevalent mechanistic paradigm – is not absolute, and along the entire period it is possible to find other paradigms at play. This has been shown by McFadzean, Ezingeard and Birchall (Anchoring Information Security Governance Research: Sociological Groundings And Future Directions , Henley Management College, Proceedings of the Third Security Conference, April 14-15, 2004, Las Vegas, Nevada, USA, http://www.information-institute.org/security/3rdConf/Proceedings/9.pdf ).
I am concerned here with the dominant paradigm, which I classify as “mechanistic”, not because I seek a “paradigm shift” towards any of the other fundamental paradigms, but because I want to promote competition and co-operation of the four key paradigms (root metaphors). It is my opinion that the lack of balance and cooperation, the presumption that only mechanicism is valid in computer science and information technology has a deleterious effect on our profession.
The key idea is that there is more chance of achieving advanced, economic, good solutions with the selective and purposeful blending of the approaches, than with the more or less unilateral application of the mechanistic paradigm. In its extreme form, without the controlling forces of the others, in the sphere of information security, the mechanistic paradigm enforces the disciplines of “protection”, and the outcome is basically a periphery-focused security world. This is the world of firewalls, gateways, proxy servers, content filtering, antivirus software, penetration testing and “risk analysis”.
Risk analysis is essential to this view for two main reasons: a) because it is easy to think of risks as something externally determined, something that has to be stopped, and b) because a risk calculation can be attempted in the simplistic form of “attack frequency”. In doing this, the risk analyst achieves the appearance of a scientific approach.
It is only an appearance! Consider how difficult it would be to blend into one risk framework valid security issues as different as compliance (associated to the contextualist paradigm), account lifecycle management (pertaining to the organicist paradigm), and trust management (pertinent to the formist paradigm). If even within the attack + vulnerability logic of the mechanistic paradigm it is impossible to calculate objective probabilities, consider the meaninglessness of trying to “calculate” risk values for a combination of the four basic paradigms.
On the other hand, while aiming at the status of a scientific approach, mechanism is not consistent: it wants to use objective probabilities, but is always forced to employ arbitrary calculations, frequency estimates and pre-defined “lists” of vulnerabilities. It tries to be of universal applicability, but is unable to estimate the return on investment of several classes of security software more related to the other competing paradigms. How would a risk expert estimate the risks and risk reduction of an Identity Management solution? Finally, and this is my main point here, the mechanistic approach uses a definition of risk that is foreign to the economics of investment, although (in some versions) close to the notion of insurance.
Risk based security is based on the risk of losses. Strictly speaking, it is therefore not correct to refer to Return on Investment in this context.
It is an established trend in the industry and in research but it is incorrect nevertheless. Information security expenditures can be considered *part* of investments when they enable business processes, when they help complete value chains, open markets, deliver services and goods; but they are more like operational expenditures and similar to building maintenance or office overhead outlays.
Therefore expenditures in security contribute to the overall returns on capital allocations, but there is no ROI on security investments per se. I know that it is usual to speak about ROI on security as this seems to approximate what is deemed to be the “language of business”, but if you consider the subject from the point of view of microeconomics you will see that it is not possible to link security expenditures with capital returns.
Some people suggest that risk-based analysis is enough as it exists, but I think that cannot and will not properly substantiate information security investment in general and I&AM investment in particular.
I am going to propose here one more angle of the problem: the idea is that if there is a dominant or prevalent information security mode of thought, this prevalence will be also one of the main determining factors in the level of investment. In other words, with all the excuses necessary for this challenging question, it is conceivable that the influence of a particular mode of thought is a factor that at least in part explains the lack of success in substantiating security investments, either through over or under-investment, or both.
For sure there are other factors, some more important, like the general market conditions, the demand for technology, the extent of computer crime, the level of competition in each particular sector, and so on, but if there is a single factor that is under *our* control, it is the way information security requirements are estimated, demonstrated, justified, architected and delivered.
Certainly our influence is not so great that we could entirely determine how this happens, but in the measure we have influence we do set the standards. We advance the methods and the “theoretical insights”. It is there where we can lead and help reach optimal information security investment levels.
There wouldn’t be any problem if it could be demonstrated that the present level of investment is sufficient (not excessive, and not too low), that it is effective and well-balanced, but the evidence in recent years indicates the contrary (see references below).
On the other hand, if we recognise the problem and we want to counteract this situation, we need to do two things at least. One is to better substantiate effective investment and expenditure levels in security; and second, to lead this development so that our methodology becomes synonymous with greater returns and business benefits.
It is my contention that Risk–Based Analysis in insufficient to do either or both things. At the same time it is important to note that the “shift” to any other particular paradigm will not be enough. For example, Compliance-Based security cannot be seen as a complete response to the long predominance of Risk-Based security.
While the first corresponds to the mechanicist paradigm, in Stephen C. Pepper’s terminology, the second corresponds to the contextualist paradigm. Two other sides are missing for a complete picture: the organicist and the formist paradigms. Later I will explain how to exploit these methodologies without arriving at an eclectic mixture. For now the essential point is that we require input from each of these sides. We need all four, or better the products of all four, integrated selectively, progressively (according to Pepper’s selectivist or “fifth” root metaphor; see: https://people.sunyit.edu/~harrell/Pepper/Index.htm)