A BMI for security
It would be nice if there was an easy way to quantify security with a single number. If you had a security score of 85 last week and ended up with a security score of 91 this week, that might justify thinking that all of the time and effort that you spent on rolling out that new DLP system was finally paying off. Or it might just end up being a game that you play, spending your budget on things that increase your security score, even if they don’t really increase the level of security that your organization is providing. On the other hand, it’s probably impossible to find a single number that works well for every organization. It’s probably even impossible to find one that works well for most organizations. My experience with the body mass index (BMI) leads me to believe that this is the case.
I’ve only been in the “normal” range for the BMI at one point in my life, and that’s when I was training for long course triathlons, races that combine a 1.2-mile swim, and 56-mile bike race and a 13.1-mile run. I was training about four hours a day back in those days, and I was just at the upper end of the “normal” range for the BMI, even though I was incredibly thin. The problem is that I’m a bit more muscular that the average guy on the street. When I backed off to only two hours of training per day, I crept back up into the “overweight” range, even though I was still incredibly thin.
I wasn’t doing long-course triathlons at that point, but I was still doing Olympic-distance races (1.5 km swim, 40 km bike, 10 km run) and marathons. I was extremely thin, had a resting heart rate in the 40s, and probably had an extremely low chance of developing any sort of obesity-related disease despite my BMI saying that I was overweight. Apparently the BMI wasn’t designed to account for people who were both thin and muscular at the same time.
I’d guess that any single number that you can come up with has a similar limitation. A single number might be able to give you a rough idea of how good something is, but that estimate is probably only accurate for the sample that was used to create the single number. So if we create a way to quantify security by looking at companies in the financial services industry, it might be a useful indicator for companies in the financial services industry but not for ones that make consumer products. These industries operate in very different ways, and what makes sense in on may not make sense at all in the other.
It seems unlikely that we’ll ever be able to create a single number that quantifies how much security that we have, but I often wonder how close we can come. Can you find three or four numbers that quantify security well? What if you go up to 12? At some point you should be able to capture enough information to be useful. It’s just not clear that the number of numbers that you need to do this is small enough to be manageable.