The Hand rule
The Hand rule is a principle that everyone working in the field of information security should know about. It’s an example of a balancing test. In such tests, courts try to make outcomes depend on a reasonable balance between competing interests.
The Hand rule can be traced back to the 1947 ruling in the case United States v. Carroll Towing Co., in which judge Learned Hand ruled that determining liability depends on comparing the cost of preventing an accident to the expected loss from an accident. Here’s what Hand actually said:
"Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B < PL."
This means that if it costs $2,000 to prevent an average loss of $1,000, you’re not negligent if you don’t spend the $2,000. Hand’s ruling has been extensively studied by economists and game theorists, who seem to love finding pathological cases where the general principle can end up causing unexpected outcomes. An example of this can be found here.
The Hand rule is a good general principle to know and understand, but it can be difficult to apply to the decisions that information security managers need to make because the data that’s needed often isn’t available. In most cases, neither the probability of security incidents happening nor the damages that result from an incident are known very well.
Consider the simple case of a web server. Almost all software has some sort of security vulnerability. Some just haven’t been discovered yet. In such a situation, what’s the probability of your web server being hacked? And if it is hacked, how do you put a dollar value on the damage that’s caused? Because it’s hard to answer questions like these accurately, it’s hard to apply the Hand rule in a meaningful way. So although the Hand rule is often used in other risk management disciplines, it’s typically not very useful in information security.