How do you measure it?
In Lord Dunsany’s story “Jorkens’ Revenge,” the Munchausen-like Jorkens manages to win an unusual wager with his nemesis, Terbut: Jorkens bets him £5 that it is further from Westminster Bridge to Blackfriars Bridge than it is from Blackfriars Bridge to Westminster Bridge.
The perplexed Terbut then finds that the taxi ride one way is indeed longer than the ride the other way and grudgingly pays Jorkens £5 without fully understanding why he lost the bet. The secret to Jorkens’ victory, of course, is that the road between the two bridges is shaped like an arc of a circle, and driving an arc of a smaller radius gives you a shorter distance than driving an arc with a larger radius.
This example demonstrates fairly clearly that exactly how we measure things can be very important.
Measuring the effectiveness of information security technologies is not as easy as taking a taxi ride and noting odometer readings, but it is a critical part of making the right decision about whether or not to make investments in your corporate IT infrastructure.
One of the most detailed attempts at doing this was done by Kevin Soo-Hoo in his doctoral dissertation at Stanford. Curiously, his models seem to show that the benefits of encryption outweigh its costs, but encryption still hasn’t become very popular. On the other hand, his models also seem to show that the benefits of a firewall aren’t justified by its cost, but I doubt that many people could be convinced to not use a firewall based on such a cost-benefit analysis. It makes you wonder exactly how people make decisions about whether or not to use particular security technologies. If they don’t use a careful cost-benefit analysis, how do they make such decisions?