Can you mitigate risk by replacing sensitive resources?

Risk assessment is about more than determining where you get your best security ROI. Sometimes, you need to examine the effects your resources have on your risk profile -- and get rid of them.

I bought a new bicycle recently.

I already have a bicycle — a really nice bicycle. I'm the second owner of a custom Bridgestone double-butted steel frame road bicycle the original owner got directly from the factory in Japan. The whole thing weighs less than 20 pounds, with all premium parts (except the pedals; that's a long story). Everything that could be a Shimano Dura-Ace part when the bicycle was first put together about a decade ago is a Shimano Dura-Ace part. In fact, some of the parts aren't even available in the US, including a Dura-Ace stem for the handlebars, and the bicycle itself is effectively unique. If the Mavic ceramic wheels were stolen, I would be out hundreds of dollars just replacing those. The likelihood you have ever owned a bicycle as expensive as just one wheel from my Bridgestone is pretty slim. If I recall correctly, the bicycle was about $3500 at the time its first owner acquired it. Yes, it's that nice a bicycle.

I got this bicycle back in 2003 when I needed a very high quality bicycle, because I was getting into "serious" road cycling, complete with funny-looking stretchy cycling shorts. I didn't need one quite up to the standards of this bike, but — being second-hand — it only cost me about as much as a new bicycle of the level of quality I really did need. I was very lucky, and I quickly grew to love that bicycle.

Now, I bought a new bicycle, and I'm planning to sell my Bridgestone. The new bike cost me a grand total of $400 plus taxes, brand new. It is an obvious and significant step down in general quality, but it better suits my needs at this time. What I need now is a commuter bike, the kind of thing I'd use to ride around town and lock up in a bike rack outside a coffee shop, and the kind of thing I'd ride wearing jeans and a t-shirt. Some of my reasons for getting the new bike are entirely related to basic convenience: the Bridgestone's crank ring would snag the cuff of my jeans; the new bike, a Raleigh "performance hybrid", has a kickstand; because the Bridgestone's tires require 120psi of air pressure, they need to be topped off almost every time I ride it, and doing so with a hand-pump would be a miserable task; the Raleigh's tires are better suited to riding in case of rain or snow (it has 700c road wheels too, but the tires are not quite so narrow).

Some of the most compelling reasons I got the Raleigh, however, are security related.

For instance, almost everything on the Bridgestone is effectively a quick-release component. That can make it difficult to chain it up properly when I park it in a bike rack, so that someone won't just wander off with a single component worth hundreds of dollars.

The single biggest reason for using the Raleigh instead of the Bridgestone, however, is the fact that I have no interest in taking on more risk than necessary. I could go to great lengths to protect the Bridgestone, of course. One of the most important steps in a risk assessment is to determine what the greatest potential sources of damage are, in case of a security compromise, and give those resources a very high priority for applying security measures. Anything that is unlikely to cause much damage in a security incident shouldn't require nearly as much security attention as something that could cause irreparable harm, all else being equal.

In this case, however, there is a much simpler answer to the problem of securing high-damage resources. Because the risk represented by this bicycle is unnecessary, the simple answer is to replace it with something else that provides me with equal or better functionality for my current needs — but that doesn't hurt nearly as much to lose. Replacing the wheels from my Bridgestone would likely cost me more than replacing my entire Raleigh bicycle, and the Raleigh is actually more appropriate to my current bicycling needs.

That's the half of risk assessment that many people forget about. They focus on the most likely threats, the most obvious vulnerabilities, and if the relative value of a resource comes into consideration at all it's usually as either an afterthought or an excuse to avoid employing any security at all. The oft-forgotten factor is a simple matter: Can you do the same thing with a resource that, once lost, doesn't hurt as much?

This doesn't mean I won't pay proper attention to the problem of securing my Raleigh bicycle. It just means that, if someone walks away with the entire bicycle while I'm inside a coffee shop, I won't lose nearly as much.

Plus, it has a kickstand — not important for serious road cycling, where slowing to below 20 miles per hour basically only happens when you're done riding, but pretty important for commuting and casual riding around town.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks