Economics of Security
By Roy D. Follendore III
Copyright (c) 2002 by RDFollendoreIII
There is an intrinsic relationship between the value of security and the economics of security. The study of economics is the study of exchanges and tradeoffs between one or more value systems. Economics is a ubiquitous concept within security because security is very much a philosophy of the implementation of tradeoffs.
This essay is to present some of the aspects of security economics that arise from rational theories of security. The idea is not to try to understand security piecemeal, but by establishing a rational conceptual framework within which the economics of security can be understood. Without the academic establishment of such a philosophy, both the scientific basis and validity of security processes and procedures remain questionable.
One last note: You probably should relax and eliminate distractions if you intend to understand this philosophical essay about the origins of the economics of security. Within this paper I have chosen to intentionally mix ideas from the fields of sociology, physics, communication, engineering and of course economics. The journey to understand this subject is admittedly a bit strange but also fascinating and entirely necessary to understand if you want to "get" what the idea of "rational security engineering and consulting" is really all about. The implications of a rational security philosophy have impacts to many other fields of human endeavor.
December 6, 2002
The Economic Origins of Security from an Anthropological Perspective
Primitive prehistoric man understood his universe in terms of stimulus and response. His sense of security simply involved his corporal ability to exist. Fear could not be intellectually isolated as the same concept we understand today because existence did not need to make sense. The bonds of human society were predicated upon unity to the physically strongest rather than independent thought and expression. Things that were out of mans ability to physical manipulate were rationalized in terms of symbolic myths which could be "theoretically" controlled. These symbols became the token Gods that were worshiped and rationalized to exist because they could be bribed through sacrifice. In a very real way, religion began as a way of gaining a sense of security.
The Economics of Security from a Physics Perspective
It is therefore fitting that this essay should begin with the concept that everything in the universe is always vulnerable and therefore always insecure. (So much for the absolute concept of security.) Everything is always being threatened because it is under a state of constant change. Change always exists because it represents time itself. We can modify our relationship to time but we may not eliminate it. Without time, perhaps there would be no change, but there could also be no dimensions, no thoughts and therefore for us nothing recognizable that could exist to perceive its existence. In other words, the absence of time also represents a risk to the universe, and the elimination of all possible vulnerabilities defines matter as an absolutely uniform dense mass. By definition this is conceptually a black hole.
The ultimate security paradox is that if we were to somehow choose to become secure in absolute terms, we would also be asking ourselves to cease to exist. As previously stated, absolute security is not something that is possible and in the final analysis, it is also not something that any of us should desire. Nor for that matter should we necessarily want ourselves or that which we love or desire to be held highly secure from threats. I have written previously in other essays that as things become more secure, they tend to have less practical value. Something which becomes so secure also becomes both economically and physically impossible to control or maintain. What is of great value essentially becomes lost. When things become too secure, they are no longer obtainable because in assuring absolute security, we are also choosing to give up our rights to access. We should be willing to consider security in terms of parallels in theoretical physics and like the concept of a black hole, and when the universal idea of security is extended there is this "event horizon" which can be thought to exist.
On Redefining the Theoretical Boundaries of Security Through the Perspective of Physics
Absolute Security is of course by its nature an infinitely extreme conceptual perspective. Near Absolute Security is just as useless and purposeless a practical concept. This is a conception of security which still remains beyond the cost of any potential future economics. By definition, there can be no economic value which could create such security and therefore no economic value that could arise from it. As we move the theoretical concept of security closer to that of realized possibility, there comes a point at which all of the energies and matter available to mankind could be economically extended to create what can be called the "Useful Point of Theoretical Security." This threshold point also remains absolutely infeasible because it defines the value of all potential human existence in terms of security. Any point below the physical conversion of 100% of mankind's potential control over mass energy defines the state below that Point of Absolute Theoretical Security where "Physically Feasible Security" begins.
The moment that we begin discussing Physically Feasible Security it becomes immediately apparent that there are other constraints rather than physics involved. In terms of conceptual physics it eventually becomes practical to define some arbitrary point below the Useful Point of Theoretical Security where something we might engineer could be useful. For one thing, we are no longer considering using up all of our potential resources to accomplish a goal. This becomes the point where values originate. The physical potential to do something is not the same thing as having the motivation to accomplish something. Values which human societies coalesce and agree upon are based on values which are enabling rather than disabling. To represent value we engineers must do that which is positive and beneficial. Moreover, the existence of society is continuously evolutionary diverse. There is more value to a society in both retaining capabilities while continuing the search for capabilities than to give up potential alternatives. All of this means that the science of economics exists at the heart of the concept of security because economics is the study of the exchange of value within systems.
The Economics of Security from a Mythological Perspective
As the title of this essay implies, this is obviously just the kind of place that our journey was supposed to take us. We deliberately took the long way because in order to understand the explicit it is often necessary to understand the implicit. The implied ideas represented through the existence of a larger universe is what has shaped our thinking of physical theory and it must exist within our philosophical equation. Security is about the economics related to the creation and exchange of value systems. While these values may be expressed in terms of technology, security is fundamentally not about technology per say. Technology represents the symbolic totem as well as a functional means for creating and working through the values of security. Just as the value of a dollar changes, even as it physically rests within a secured bank vault, so too the value of security changes as it exists as it resides within a properly operational system. This is the reason why good security is not just about good technology. It is about the value of establishing and maintaining security goals.
As technology has advanced, man has been learning that even the best technology does not suddenly induce good security. This why Good Security is neither random nor risk free. Good Security must be purposefully rational and created from referenced and redeemable analytical valuations arising from the social values and standards of client organizations. These are morally and productivity based, highly complex, constantly biased transactional valuations. Such valuations are therefore not subject to a technical physical embodiment without analytical tools. Assured control of technical security arises from certifiable test and measurement standards, which allows the detection of truth relating to the implementation of these abstract values which can be appropriately assessed and maintained.
Because we are able to create the mythical technological God's we choose to worship, we find it too easy to forget what we are in relation to what it is that we wish to become. We are the modern equivalent of priests, alchemists and magicians who are manipulators of entropy but we do not create entropy. By this I mean that our economic choices affect entropy but not the existence of entropy. Fear of entropy is ultimately the primary economic issue of security. Our predecessors feared the arrival of lightening and thunder. Like our predecessors, the greatest concern of our fear is the potential of unwarranted and undesirable reactions that reduce the probability of success. But like our ancestors we have begun to learn that running away from a storm often means running away from potential success. The unfortunate resulting reactionary byproducts of fear is the failure to embrace the risk as a part of reward. Unwarranted risk avoidance stifles progress by undermining creativity and limiting growth. We need our myths about security in order to brave the next storm. Make no mistake, security myths are real and they affect the physical makeup of engineered systems.
Myths are therefore of tremendous economic importance and value to security because they allow us our psychological opportunities to delay fear and therefore more economically assess, appraise and reach consensus about risks and opportunities which are available to us within stochastic environments. Myths allows us the time required to operate on our perception of reality from the perspective of reflection rather than inflection. Failure occurs when risks no longer appear to match opportunities and we come to realize that the myths we have created are no longer viable. It is the implementation of rational security certification processes that monitor the functionality of secure transactional processes which should and must determine an economic suitability with respect to the values of risk and reward. It is then the purpose of technical security engineering to create appropriate solutions as required. It is the duty of security consultants to assure the best practices are advised so that the philosophy is maintained.
The economics of security is a holistic ideal and not an isolatable, reducible concept. Security is like the first mythological religious attempt to control that which is uncontrollable so that it is possible to gain order to that which is irrational. Like the mythos of ancient religions, security must be understood in terms of the whole, rather than in terms of the explicit. Isolated individual events become too easily trivialized as meaningless rituals. Scientific and Engineering perspectives fail to achieve an understanding of the economics of security because of the perception that ideas must be reducible to fit into neat complete solutions. Such reductionist perceptions are doomed because they simplistically permute the relationships of contextual values. The economics that make security better involves the degree to which the totality of dynamic abstractions can be simultaneously maintained and sustained. This is the degree of sustainable flexibility with respect to time. It is the metric which describes the best available security and the philosophical basis for the best consulting and engineering practices.
The Economics of Security from a Technical Perspective
The practice of good security economics is difficult because there are many competing factors that must be consistently and constantly reevaluated with regular periodicity. It is unimportant which security solution is currently dominant as long as the best solution is being utilized for the best period of performance. Significant economic factors of security not only do not necessarily coincide with respect to time, they may not be apparent without both an intimate and insightful perspective. Feedback is critical to understanding these dynamics. The important economic issues within security do not simply come to us, we must go to them and engineer authenticated pathways through which security procedures can be observed. An example is the idea that advances in our processes of development have somehow not changed the state at which we must begin thinking about security.
One of the greatest myths in technology today is that when we choose to develop a system, we are developing that system from scratch. Modern software development is not a particle to nuts and bolts, to machine, to system process. At the fundamental level, most systems are built through the purchase of predefined "modules" which are then embedded and implemented into the developmental goal. Some of these modules arrive to the software project as part of the tools which coders have written for other projects and have found useful. Other code modules are part of commercial packages or exist within the public domain. Few excellent coders write their project code completely from scratch because it is cost and schedule prohibitive. This represents an essential embedded economic factor that should be recognized and understood.
At the other end of the security project scale and at a higher level, there are partial and complete Commercial Off The Shelf (COTS) software systems and module products which are designed to be integrated. Most of these products are far easier to implement than to develop. They save time and money because through their integration they "offer" the ability to solve developmental solutions in a single stroke. The greatest attraction however is the fact that they often offer implementation and upgrade support that can be purchased at a far lesser cost than maintaining a staff. From the management perspective this long-term overhead can be considered a critical issue to the economic bottom line.
Security Economics of the Human Factor
The kinds of employees that are required to maintain these systems are technical and can be brought in and trained. For the organization, these individuals represent security. They are often brought in with commercial security certifications which is supposed to demonstrate that they are experts. They are often then provided organizational titles which do not actually reflect their lack of professional experience and understanding. These employees may be economically suitable to security system maintenance but what they understand about security is questionable. The gap in internal organizational knowledge exists because the best minds in security are valuable and costly to maintain.
These are known creative experts in their field with lifecycle knowledge and experience of explicit as well as global security issues. Because of their level of professionalism, they do not tend to tolerate maintenance positions very well and they find security incompetence difficult to swallow. These are exactly the kinds of sensitive individuals that are capable of rapidly identifying, evaluating and solving the the most complex and difficult security problems. They are also exactly the kinds of employees that can be considered by organizational managers as "problem makers." Putting this kind of talent into a maintenance mode is like taking an experienced Navy Seal and dropping him into the position of a Meter Maid. The internal economics of what makes these security experts successful in what they do can be exactly what makes them unsuitable for organizational security positions.
The Security Economics of Production Management
Knowledgeable, decisive, outspoken security professionals are probably only invaluable five percent of a software lifecycle and tolerable to day to day operations only twenty five percent of the time. But when security is bleeding an organization, they can rapidly patch the problem and identify the problem solutions. Too often, management is satisfied with the short term economics of the fix and recommended solutions are never satisfied. Management tends to define productivity success in terms of those things which directly contribute to concrete profits that arise from productivity, than the activities of the defense of the infrastructure through which productivity is achieved.
This view is in error because it ignores the fact that security is a positive productivity enhancing factor in the ability of organizations to reach their dynamic goals. Security not only protects, it contributes to productivity by allowing better and more difficult goals to be achieved. Security can reduce transactional errors, connect the unconnectable, and flatten the hierarchical organizational structure. Security improves communication, reduces eliminates noise, and delegate both responsibility and authority. Security is not merely a shield, it is a powerful productivity tool for managers that should exist as a part of their economic quiver. The problem of management perception is not just in the definition of security, it is in the acquisition and utilization of resources which can define the criteria through which such productive based security measures can be achieved.
Placing the proper dynamic resources toward security is important because it allows the best path to be achieved. What is true with respect to human resources is also true for establishing and maintaining the security criteria of hardware and software. The economics of security is therefore not based on a barren state defined by an absence of change, it is based on the search for that stable status quo where the potential for change is in the favor of optimum solutions. Within security there is no state of rest. Within business, industry and government security solutions, the economic concept of standing still is the same as moving backwards.
In the past, security was thought to be something that could be embedded once and forgotten, so security systems were indeed embedded and forgotten. As new technologies arose, the embedded security processes were overlaid upon each other and they were connected to each other. The original justifications for these systems were lost as new objectives came and went. Some of these security systems no longer provide security so they simply reduce operational performance, but others have been overcome by technical and operational events so that they no longer provide the necessary kind of security. Given the inevitability of such an avalanche of change over time, all technical security fails us.
Within this essay many different concepts about the economics of security have been raised. The model of security that has been presented is comes from both physical and sociological phenomena. This idea of security is not a brick that once set in mortar becomes a fixed solution. The economics of security represents a function defining points where there can never be absolute solutions though there are always critical opportunities. In this way, the economics of security is no different from the economic ideas of technology itself. It is important how we manage the expressions of these ideas.
Expressions of the Economics of Security
The myths that have been projected upon security are a part of our sociological makeup which are expressed through our choices in our language. We can not easily express the philosophies which are required for the economics of security because our concepts are foundered by words which do not appropriately and effectively express the relationships between the concepts which have been discussed. It is also the imperious nature of the words we use which distracts us from our responsibilities. One simple example is that when we say that we are "secure" it does mean that we are also "safe." The implied economics of the terms are simply not the same. We may feel absolutely secure but never absolutely safe, yet even though the best security experts sometimes use these words interchangeably. This may seem like a picky point, but when we indiscriminately choose to ignore such semantic distinctions we are failing our craft of security as well as our science.
The Importance of the Economic Security Philosophy
No true security plan exists without the means to define what that plan means with respect to the total sense of security economics. Security design definitions and specifications that are ill defined, limited and indefinite with respect to security economics fail to anticipate opportunities. The only means to achieve solutions that do requires the recognition of the importance of an economic security philosophy upon which security doctrine can be based. This is because doctrines are too rigid to represent the myriad of potential concerns and must also be adaptable. It is relatively easy to define a technical security approach. But it is difficult and costly to properly define an appropriate security economic philosophy and can be far more difficult and expensive to maintain one. Within private industry, the difference between a technical security approach with or without a well founded economic security philosophy comes down somewhere between being out of business or being highly competitive. The economics of that choice comes down to being all about the ability to maintain the correct rational philosophy of security.
Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved