top of page
  • Phil Venables

Fundamental Drivers of Information Security Risk

As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of basic “forces”. These manifest in different ways in different contexts - strip away the detail and most issues usually stem from one of these. I don’t claim originality here - some have been said and used by others before me. I’m also not convinced this list is actually complete.

  1. Information wants to be free. Data leaks unless managed, access degrades w/o rules, information is ethereal. In the broader context of the term, from Stewart Brand: “Information wants to be free. Information wants to be expensive....that tension will not go away”.

  2. Code wants to be wrong. Bugs are inevitable (in all their forms - requirements, design, implementation), some bugs are security vulnerabilities, exploitable bugs can become realized risk. I first heard this from @bobblakley I think.

  3. Services want to be on. Attack surface grows, risk is proportional to attack surface, unknown services are never checked. There’s a - Murphy’esque - corollary of this which is “Services want to be on, unless you really want them to be on and then they often fail.”

  4. Entropy is king. Unchecked controls degrade with time, untested resilience fades with time, constant counterbalance is needed. Everything degrades unless countered with a force to keep it in place.

  5. Complex systems break in unpredictable ways. Simple systems that work may still collectively fail when composed together - and will often do that in unpredictable and volatile ways.

  6. People and organizations respond to incentives - but not always the ones we think are rational. The macro/micro economics of InfoSec are important to align incentives to reduce the right risks with the right priorities with factors like opportunity and productivity cost.


Bottom line: new issues and risks surface all the time. The more we can resolve those to some basic forces, and counter (or use) those forces - the less likely we will be surprised by those new issues.

393 views0 comments

Recent Posts

See All

The 80 / 20 Principle 

Ever since I first became familiar with the 80/20 principle, and other circumstances marked by Pareto distributions, I began to see examples of it everywhere. Naturally, I’m particularly biased to obs

Best Security Movies (and some that haven’t been made yet)

Everyone has their list of favorite security movies and I bet some are on everyone’s list. There’s also a set of movies that aren’t totally about security but have it as a big part of the story arc. M

Top Ideas and Posts from 2023

Thankfully I managed to keep up the pace of 1 post every 2 weeks throughout 2023. Just when I think I might be running out of ideas, and the backlog of topics is running low, then something always man

bottom of page