• Phil Venables

Fundamental Drivers of Information Security Risk

As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of basic “forces”. These manifest in different ways in different contexts - strip away the detail and most issues usually stem from one of these. I don’t claim originality here - some have been said and used by others before me. I’m also not convinced this list is actually complete.

  1. Information wants to be free. Data leaks unless managed, access degrades w/o rules, information is ethereal. In the broader context of the term, from Stewart Brand: “Information wants to be free. Information wants to be expensive....that tension will not go away”.

  2. Code wants to be wrong. Bugs are inevitable (in all their forms - requirements, design, implementation), some bugs are security vulnerabilities, exploitable bugs can become realized risk. I first heard this from @bobblakley I think.

  3. Services want to be on. Attack surface grows, risk is proportional to attack surface, unknown services are never checked. There’s a - Murphy’esque - corollary of this which is “Services want to be on, unless you really want them to be on and then they often fail.”

  4. Entropy is king. Unchecked controls degrade with time, untested resilience fades with time, constant counterbalance is needed. Everything degrades unless countered with a force to keep it in place.

  5. Complex systems break in unpredictable ways. Simple systems that work may still collectively fail when composed together - and will often do that in unpredictable and volatile ways.

  6. People and organizations respond to incentives - but not always the ones we think are rational. The macro/micro economics of InfoSec are important to align incentives to reduce the right risks with the right priorities with factors like opportunity and productivity cost.


Bottom line: new issues and risks surface all the time. The more we can resolve those to some basic forces, and counter (or use) those forces - the less likely we will be surprised by those new issues.

292 views0 comments

Recent Posts

See All

This can be an emotive topic for many people. It is one, I’ve found, colored more by dogma than nuance (as it seems with many things these days) and so it is often hard to have a reasoned debate about

Do analogies actually help us or do they set back our ability to drive change? On the face of it they are a useful explanatory tool, as are metaphors and perhaps even similes. But at what point is the

Defense in depth is a well accepted security principle. Intuitively, it stipulates there should be multiple lines of controls so as to reduce the likelihood of successful attacks even in the presence