This week’s question in our Ask Securosis series moves past a technology question into the realm of management and statistical research.
Scott asks:
… It seems that the companies Jason identified in his study have become the most productive in their industry sectors by streamlining, removing wasteful process, empowering staff, etc. (scary prospects for security professionals). Obviously, there is a cross-over point, of sorts, where this starts to impact information security in a way that puts them at risk for a big set-back that was just hadn’t happened yet. I’d really like to find any references to studies regarding how “good security” positively or negatively impacts long term productivity. We security geeks have a gut feel that it has a positive effect, if done right. But we need data to prove it. In all your market research experience have you come across any such studies, and do you feel they provide solid evidence or arguments for the case of Security vs. Productivity? If you don’t know of any, then chances are that there aren’t any well documented ones. Since I don’t have the resources to do this kind of study myself, I’m thinking of approaching a university business school to see if they can do a follow-up study on the companies Jason found, and look at their records on security. Or I guess I could try to ask the author himself. I think this is a key issue for managers struggling to understand the trade-offs in security: how much productivity will they be foregoing if they commit to a real security initiative. I’d like to explore this idea more to help them understand the impacts.
No, I’m not aware of any study linking security with productivity metrics. Or even correlating highly productive companies with their security postures.
Since I can’t point you in the right direction to get the answer you’re looking for, I’ll focus on providing a few aspects to look at if you do decide to link up with a university and perform a proper study.
My gut feeling is there is an empirical problem in attempting a study like this. While we can accurately measure the productivity impact of certain security controls, correlating that to the additional risk exposure would, by nature, involve introducing risk metrics that are neither as precise nor as accurate as those measuring productivity. Risk measurements in infosec involve the use of estimates that don’t accurately reflect the full financial exposure of insufficient controls. We can never fully measure losses or potential losses, thus the numbers will be oranges to the apples of productivity measurements. The result ensures it’s nearly impossible to use these measurements to balance security vs. productivity, and depending on how the numbers skew we will draw the wrong conclusions.
For example, they may show that passwords hurt productivity by X dollars, and security risk drops by an estimated Y dollars, with said estimate being nearly impossible to calculate accurately. We might end up thinking that because we’ve never had a system compromised due to a weak password, we don’t need them at all.
Okay, an extreme example, so here are a few ideas on how I’d look at the research.
Ideally I would try and find two organizations with equally good productivity, but variable security. If we can normalize enough of the variables, and find a big enough sample set, that gives us a good macro view on any causality. We might also look at a very productive company vs. a very secure company that isn’t productive. Good luck finding that.
But I think what you really want to do is devise a model to determine the productivity impact of potential security controls, not just security in general.
You should be able to measure that for any specific security control as long as you have a corresponding measurement of productivity. You should then map in estimates of risk measurements to make a decision. Otherwise, nearly everything will reduce productivity, but the corresponding risk might exceed acceptable tolerance. Also, this should take into account any alternative controls that achieve the same goal, with a lower productivity impact. And that control impact varies over time.
At this point we’ve just created enough complexity that measuring the performance impact of a security control is now greater than the performance impact of said control.
My advice? We spend more time identifying the most efficient ways to be secure with the least performance impact.
Reader interactions
2 Replies to “Ask Securosis: Security vs. Productivity”
Allen,
I agree- there are cases where security directly increases productivity. But more often than not there isn’‘t direct causality. Antispam is a great example where it does work, but I suspect most people won’‘t make the remote access connection you do in the example above.
The more I think about my response, the more I realize that my problem isn’‘t that I don’‘t think security ever improves productivity, but I have little faith in the average corporate manager (non security, of course) to make the right connections.
It’s similar to the problem in risk management. We can pretty clearly quantify productivity loss, but with a few exceptions, we can’‘t cleanly quantify risk avoidance as productivity gains since we get bogged down into the potential losses mess.
Hmm… I think this is worth another post, and for those of you reading the comments you can find Allen’s post on this at: http://securethink.blogspot.com/2008/02/productivity-vs-security.html
Rich,
Your answer to the question shows a very negative base thought.
Your assumption is that all security controls actually decrease productivity. This may be the case in an example where passwords are used versus not used. But information security may actually increase productivity eg where spam is blocked and the user does not need to spend hours sorting email. Alternatively if browsing is restricted and time-wasting sites like facebook and securiosis (kidding) are blocked then productivity goes up.
My big security theory (which I wish I could put into practice) is that once companies achieve a security zen state (sorry if that is copyright) when security becomes part of the culture and is built into all systems then it actually increases productivity in a way that could actually help the bottom line.
In response to the original poster – if Information Security is at odds with the processes of the business then either the process is wrong or the information security is wrong.
If you tack on security after the fact your thinking will always be wrong.
Example:
A sales-rep is always on the road. Because he lives in the North part of town that is where his customers are. He has a list of customers and their details in his laptop. He also has their buying trends and banking details so he can confirm payment. The ISO sees all of this and almost has a heart attack. He implements a rule that the sales person can download only the clients that he is going to see that day onto his laptop and it must be done over a VPN. Sales guy also has to have his laptop encrypted and a password protected screensaver. He can, if he wants to, drive into work and download the information over the network but work is far from his house and his customers.
Man, productivity has gone to hell. He now has to dial in every day for a few minutes where in the past he didn’‘t. He has to type in passwords every time he needs to use his PC. What a shlep.
But… if you think about the savings in terms of productivity compared to driving to work and getting the information, printing it out and then filing it away at the end of the day (another trip) – the complete system is amazing. It is saving the sales rep from making two trips a day into the office. All that needs to happen now is that it needs to be made secure and a few extra seconds each time information is needed and a few minutes at the beginning and end of each day to sync information is a pleasure compared to driving to work in rush hour traffic for no reason.