Security

Can you mitigate risk by replacing sensitive resources?

Risk assessment is about more than determining where you get your best security ROI. Sometimes, you need to examine the effects your resources have on your risk profile -- and get rid of them.

I bought a new bicycle recently.

I already have a bicycle -- a really nice bicycle. I'm the second owner of a custom Bridgestone double-butted steel frame road bicycle the original owner got directly from the factory in Japan. The whole thing weighs less than 20 pounds, with all premium parts (except the pedals; that's a long story). Everything that could be a Shimano Dura-Ace part when the bicycle was first put together about a decade ago is a Shimano Dura-Ace part. In fact, some of the parts aren't even available in the US, including a Dura-Ace stem for the handlebars, and the bicycle itself is effectively unique. If the Mavic ceramic wheels were stolen, I would be out hundreds of dollars just replacing those. The likelihood you have ever owned a bicycle as expensive as just one wheel from my Bridgestone is pretty slim. If I recall correctly, the bicycle was about $3500 at the time its first owner acquired it. Yes, it's that nice a bicycle.

I got this bicycle back in 2003 when I needed a very high quality bicycle, because I was getting into "serious" road cycling, complete with funny-looking stretchy cycling shorts. I didn't need one quite up to the standards of this bike, but -- being second-hand -- it only cost me about as much as a new bicycle of the level of quality I really did need. I was very lucky, and I quickly grew to love that bicycle.

Now, I bought a new bicycle, and I'm planning to sell my Bridgestone. The new bike cost me a grand total of $400 plus taxes, brand new. It is an obvious and significant step down in general quality, but it better suits my needs at this time. What I need now is a commuter bike, the kind of thing I'd use to ride around town and lock up in a bike rack outside a coffee shop, and the kind of thing I'd ride wearing jeans and a t-shirt. Some of my reasons for getting the new bike are entirely related to basic convenience: the Bridgestone's crank ring would snag the cuff of my jeans; the new bike, a Raleigh "performance hybrid", has a kickstand; because the Bridgestone's tires require 120psi of air pressure, they need to be topped off almost every time I ride it, and doing so with a hand-pump would be a miserable task; the Raleigh's tires are better suited to riding in case of rain or snow (it has 700c road wheels too, but the tires are not quite so narrow).

Some of the most compelling reasons I got the Raleigh, however, are security related.

For instance, almost everything on the Bridgestone is effectively a quick-release component. That can make it difficult to chain it up properly when I park it in a bike rack, so that someone won't just wander off with a single component worth hundreds of dollars.

The single biggest reason for using the Raleigh instead of the Bridgestone, however, is the fact that I have no interest in taking on more risk than necessary. I could go to great lengths to protect the Bridgestone, of course. One of the most important steps in a risk assessment is to determine what the greatest potential sources of damage are, in case of a security compromise, and give those resources a very high priority for applying security measures. Anything that is unlikely to cause much damage in a security incident shouldn't require nearly as much security attention as something that could cause irreparable harm, all else being equal.

In this case, however, there is a much simpler answer to the problem of securing high-damage resources. Because the risk represented by this bicycle is unnecessary, the simple answer is to replace it with something else that provides me with equal or better functionality for my current needs -- but that doesn't hurt nearly as much to lose. Replacing the wheels from my Bridgestone would likely cost me more than replacing my entire Raleigh bicycle, and the Raleigh is actually more appropriate to my current bicycling needs.

That's the half of risk assessment that many people forget about. They focus on the most likely threats, the most obvious vulnerabilities, and if the relative value of a resource comes into consideration at all it's usually as either an afterthought or an excuse to avoid employing any security at all. The oft-forgotten factor is a simple matter: Can you do the same thing with a resource that, once lost, doesn't hurt as much?

This doesn't mean I won't pay proper attention to the problem of securing my Raleigh bicycle. It just means that, if someone walks away with the entire bicycle while I'm inside a coffee shop, I won't lose nearly as much.

Plus, it has a kickstand -- not important for serious road cycling, where slowing to below 20 miles per hour basically only happens when you're done riding, but pretty important for commuting and casual riding around town.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

15 comments
larrie_jr
larrie_jr

The wrter needed to state his analogy much more succinctly, it was ALL about the bike. He needed to make the analogy much shorter, and then give a real world example of his thought process. What, in the writers opinion, would be an asset that would qualify for this scenario? EVERY resource I have in my network is utilized to the best of my ability...I know I don't have the luxury of a carte blanch yearly budget! But, ohhhh, what a world THAT WOULD BE!

Lee77
Lee77

this was a good analogy for having risky data (e.g. SSN and CNN) - much easier not to have than to try to protect - thank you for sharing

reisen55
reisen55

Outsourcing - a current mania of American management and here the danger is to replace in-house staff (generally the most dedicated of employees) with personnel far far away. Here, customer data and client data is thus put into the hands of staff and people YOU HAVE KNOWLEDGE OF. Nobody considers this factor really. How secure IS your data when it is now housed in, or managed by, people in Bangalore who have no direct alliegence to YOUR COMPANY but rather watch SLA levels on contracts and meeting that alone as their bell-weather gauge of success!!! The outsourced company loses all security controls in a single step and despite the assurances of the outsourcing firm (CSC, ACS, etc), they have no real vested interest in YOUR BUSINESS but, rather, keeping that seven year proposal alive and well as an income generator. Sensitive resources? Indeed.

tom
tom

If you could develop a locking mechanism for the Bridgestone that when activated it would lock all quick-release parts together, your risk of theft would be lessened. It may not address the cost of replacement of damaged parts but it certainly would substantially increase your level of security. If the bike represented a network of computers and the valuable parts represented data/information then having a lock that controlled the use of memory storage devices would be essential. Be it a Bike lock or USB lock the potential vulnerability of a loss needs to be assessed and action taken based on where one sets their limit of exposure.

apotheon
apotheon

Does the bicycle metaphor work for you? Hey, at least it wasn't another car analogy. Have you taken a good hard look at your IT resources to determine if you have high-cost risks that could be mitigated by replacing, or just factoring out, some of those resources?

Neon Samurai
Neon Samurai

I responded continuing to talk about a bike because, well, bikes are a pretty big bit of my upbringing outside of computers. At the same time, I also read it as an analogy for technology by taking the principles from one topic and considering how they apply to the other topics. If your budget is so limited, how is your coverage for replacing devices that fail or go missing. Going missing is physical security but security in general is also about disaster recovery. If the device fails and must be replaced, can you afford to replace it or would buying two cheaper units and keeping one on the shelf as an extra be worth considering? In a server, should I buy two SAS drives at 400$ each or three SATA drives at a much lesser cost leaving one spare out of the case to hotswap in? The bottleneck is going to be the network cards so the slower SATA read speed is not going to be an issue and both are raid and hotswap capable.

apotheon
apotheon

It's about [b]security[/b] and IT. Do you just have something against analogies? Are you unable to learn principles from one field (physical security) and apply them to another field (information security), even when those fields are closely related? What exactly is the problem?

Neon Samurai
Neon Samurai

.. does it make sense to replace it with a more easily replaced IT resource which provides the same function. One example may be using a lower cost router that has the required throughput versus a high cost router which is overkill for the need and beyond the budget to replace if it fails. If a company where silly enough to use an AS400 just for hosting websites, it may make sense to move the website to more common server hardware since that AS400 isn't going to easily be replaced (extreme example but it works I think). While the use of biking did apply to me outside of the IT world, that was how I read it applying too inside the IT world.

Neon Samurai
Neon Samurai

It's not a road racing engineering marvel but it's well into the "light" quality range and not something I could afford to replace. Being from a biking family, some levels of quality and equipment are a requirnment more than a nice-to-have item. It was a purchase when I was doing much more mountain biking down the local ski hills, on single track bush trails and commuting around a small and trustworthy town. seat, wheels.. all qick release. So now that I'm in the big city, I constantly get grief about refusing to take my bike to places where I can't secure it. Starting and ending at home is fine, too friends places where it can go in the back yard is fine. Trips tot he local grocery store doesn't work for me though as I'm not ready to carry a chain and sew it too the closest parking loop. I've actually had a little freestyle on my wishlist for the last few years; to provide a fully bolted and easily secured and obfuscated frame to rip around on and to get back to some of the fun things a mountain bike is less suited too now that I have easy access to so many fun concrete structures. ;) After all my rambling, the interesting point is that I hadn't conciously considered this in terms of security and risk; only that I couldn't replace one loss and could make a lesser loss less interest to a thief since I don't mine doing a nasty paint job on a little freestyle ripper.

larrie_jr
larrie_jr

We are talking about "physical Security" in this scenario, and that is Security 101... The VERY FIRST THING is to "lock the door" STILL looking for the correct responses in this post people! If this is all still on a theoretical plane, redundancy would negate this

cpr
cpr

I would bet that you had additional insurance coverage for your expensive bike, but downgraded the insurance for the cheaper bike. You still need the functionality of the bike, and you still need to protect the resource. The value of the 'potential' loss will dictate the effort you need to protect/insure the resource.

Neon Samurai
Neon Samurai

I'm not sure why the analogy only applies to physical security. The analogy seems valid for security in general from my understanding. Granted, I could be missing something. Could you elaborate on why this scenario only applies to physical security and what question you are "still looking for the correct responses" on?

Neon Samurai
Neon Samurai

I actually hadn't considered getting insurance coverage specificaly for each bike as they are both pedal bikes. To my mindset, it seemed about the same as getting my skateboard insured. (I'm long out of highschool but I still skate; fabulous sport and recreation that.)