Secure or “Secure Enough”?

Secure or "Secure Enough"?

When we talk about security, it is often not clear what the end goal is beyond an unspecified "secure state." Which begs the question, when is security good enough? I almost never hear business leaders or security professionals begin a security conversation from this perspective, but this is precisely the conversation business leaders should be having with their security experts. Before I dive deeper into this, I would like to describe how I see most security projects approached.
Security as free from vulnerabilities:
This is the main approach I see. One describes a system to protect, determines all vulnerabilities present in the system, and proposes fixes. When all identified vulnerabilities have been secured against, the system is declared secure. This is the "secure state." Often this approach fails due to the costs of implementing security measures or the pain and disruption such measures have on the business. There is conflict between business and security.
Let me give an example from the physical world. Let's say you own a small shop where you sell merchandise. For security reasons, you have a lock on the door. When you close shop, you lock the door. For the sake of argument, we are going to assume the lock is sufficiently difficult to pick, and we are not worried about professional lockpicks. Instead, I would like to focus on the door. Most shops I see have glass doors. This makes sense; it lets your customers see in and entices them into the store, and lets your employees see out so they can see who is at the door. When we think of security from this vulnerability approach, the following chain of events may occur:
You identify your door as vulnerable to baseball bats and other club-like objects. These are easy to obtain, legal to carry, and will easily shatter your door, allowing thieves to simply walk in and steal your merchandise.
To secure your door, you need to make it invulnerable to baseball bats (that is our "secure state," that is, no longer vulnerable). To do this, you add a simple gate in front of the door. You have probably seen these pull-down gates in front of other stores. Now when the thief uses his bat, the gate gives a little and returns to normal.
You now identify your gate as vulnerable to bolt cutters. A thief merely must cut a few links to make a hole, use his bat on your door, and again, he is in and stealing merchandise. Further security is needed. So, you replace your cheap gate with a more expensive solid metal door. It is strong enough that a bat cannot damage it, and solid so bolt cutters cannot break through it. You have no doubt seen these as well.
But now you identify a new vulnerability. Someone could use a truck to smash through the gate and door and gain access. Now you need to install bollards to protect against vehicle threats.
Surely now, after thousands of dollars, you have reached a secure state with no vulnerabilities, yes? Well no. Now we see that someone could use explosives (rather than a vehicle) to breach the gate and break in. Now these are expensive and illegal, but still within the realm of possibility. How will you protect against this? Why security guards, of course! Have a guard physically present outside watching. Of course, you will need two because they need to relieve one another and ensure they do not fall asleep.
Here you decide that this is too expensive for the type of merchandise you have, and you go back to a simple lock, which you declare "good enough" and that you are "secure enough."
Eventually, the cost of implementing additional protections against vulnerabilities simply becomes too hard, too expensive, and too unrealistic to implement. Here, the secure state is never achieved, and, in fact, is unachievable. There will always be a vulnerability, albeit increasingly unlikely (or decreasingly likely, depending on how you prefer your probability calculations). This sets everyone up for failure as the goal can never be reached.
Instead, let's look at this from a "good enough" perspective. In this case, "good enough" means "secure enough" or protected from the most likely vulnerabilities and where cost and difficulty are appropriate for the value of the assets being protected. Once you can conceive of security in this light and define this state, you can both achieve your objective and make informed decisions surrounding the security measures put in place. Let's look at this example again, this time from the perspective of a jewelry store with high-value merchandise.
Security as "good enough":
What is "good enough"? Well, we are going to define that as the state of being protected from opportunistic and semi-professional thieves. We will not worry about protection from highly skilled or professional threats. This means when a vulnerability can only be exploited by someone who is either a professional criminal or who requires a high level of skill, we will accept that vulnerability.
Now we look at what our vulnerabilities are: We still have the glass door, and we have highly valuable merchandise. We are vulnerable to the glass being smashed as before; this time we consider not eliminating the vulnerability but managing it. We opt to go with glass that is significantly more difficult to break, such as safety glass. Professionals have tools that can bypass this, but we are not concerned with them, and while this is not foolproof, it is more cost-effective than the gate option.
We now look at our new vulnerabilities based on this new glass. A determined semi-professional could, of course, continue smashing the glass until they get in. We will add similar glass to our display cases as a second layer of protection (defense in depth) as an affordable defense, and we will add an alarm system, which will trigger an audible alarm and the police department in the event either the door or display case glass is broken. We look again at our security posture and ask, "Is this good enough?". We have protected against opportunistic threats by making the glass significantly more difficult to get through and added a layer of protection against the determined or semi-professional by adding a second layer of glass and an alarm as a deterrent. We have also leveraged a response via the police to minimize the time the threat has to cause damage (i.e., the amount of merchandise stolen).
The remaining (and new) vulnerabilities require either high skill or a professional to exploit, such as disabling the alarm or cutting through the glass without triggering the alarm and based on our secure state definition in step 1, we can accept these. Management now declares the store to be in a "secure state" as we have protected against all the threats and vulnerabilities that do not require high skill or professional threats to exploit. Security is happy as their recommendations have been taken seriously. Management is happy as security has been achieved.
In our first case, we did not achieve our initial objective of a vulnerability-free secure state, and in the end, security and the business were at odds. The end state of the first method left us with "good enough" or "as good as we can afford" but introduced conflict and required changing objectives. In our second case, because we knew we only had to be "good enough" and knew which types of threats and vulnerabilities were acceptable to remain, we were able to tailor the security to be both cost-effective and meet the objective. This was a collaborative method that understands the limitations of the real world while setting an achievable goal that leaves the organization in an acceptably secure state. Note too that in the second method, it is the business that determines what is "good enough" rather than external threats and vulnerabilities.
So, when is security "good enough"? When you, the business, say so. If there is an external standard you need to meet, security is good enough when it both meets that standard and meets your own internally defined secure state. We need to accept that there will always be threats and vulnerabilities to any security measure and work on finding the acceptable level of security each business determines meets their unique needs.