top of page
Search

Fundamental Drivers of Information Security Risk

  • Phil Venables
  • Jul 21, 2019
  • 2 min read

As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of basic “forces”. These manifest in different ways in different contexts - strip away the detail and most issues usually stem from one of these. I don’t claim originality here - some have been said and used by others before me. I’m also not convinced this list is actually complete.

  1. Information wants to be free. Data leaks unless managed, access degrades w/o rules, information is ethereal. In the broader context of the term, from Stewart Brand: “Information wants to be free. Information wants to be expensive....that tension will not go away”.

  2. Code wants to be wrong. Bugs are inevitable (in all their forms - requirements, design, implementation), some bugs are security vulnerabilities, exploitable bugs can become realized risk. I first heard this from @bobblakley I think.

  3. Services want to be on. Attack surface grows, risk is proportional to attack surface, unknown services are never checked. There’s a - Murphy’esque - corollary of this which is “Services want to be on, unless you really want them to be on and then they often fail.”

  4. Entropy is king. Unchecked controls degrade with time, untested resilience fades with time, constant counterbalance is needed. Everything degrades unless countered with a force to keep it in place.

  5. Complex systems break in unpredictable ways. Simple systems that work may still collectively fail when composed together - and will often do that in unpredictable and volatile ways.

  6. People and organizations respond to incentives - but not always the ones we think are rational. The macro/micro economics of InfoSec are important to align incentives to reduce the right risks with the right priorities with factors like opportunity and productivity cost.


Bottom line: new issues and risks surface all the time. The more we can resolve those to some basic forces, and counter (or use) those forces - the less likely we will be surprised by those new issues.

Recent Posts

See All
High Frequency Trading and Lessons for Agentic AI

I suspect I’m not the only former or current financial markets technologist that sees parallels between the world of high frequency / algorithmic trading controls and what is needed for appropriate de

 
 
Maintenance of Everything : A Review

I haven’t done a book review for a while and there’s no better way to get back to this than a look at Stewart Brand’s Maintenance of Everything . Stewart developed a lot of this book in an open editin

 
 
The Real Role of the Field CISO

We all need to advance our businesses and that is in many respects about selling. We also need to recognize that security and reliability are increasingly the path to sustainable long term customer su

 
 
Subscribe for updates.

Thanks for submitting!

© 2020 Philip Venables. 

bottom of page