This week’s question in our Ask Securosis series moves past a technology question into the realm of management and statistical research.

Scott asks:

… It seems that the companies Jason identified in his study have become the most productive in their industry sectors by streamlining, removing wasteful process, empowering staff, etc. (scary prospects for security professionals). Obviously, there is a cross-over point, of sorts, where this starts to impact information security in a way that puts them at risk for a big set-back that was just hadn’t happened yet. I’d really like to find any references to studies regarding how “good security” positively or negatively impacts long term productivity. We security geeks have a gut feel that it has a positive effect, if done right. But we need data to prove it. In all your market research experience have you come across any such studies, and do you feel they provide solid evidence or arguments for the case of Security vs. Productivity? If you don’t know of any, then chances are that there aren’t any well documented ones. Since I don’t have the resources to do this kind of study myself, I’m thinking of approaching a university business school to see if they can do a follow-up study on the companies Jason found, and look at their records on security. Or I guess I could try to ask the author himself. I think this is a key issue for managers struggling to understand the trade-offs in security: how much productivity will they be foregoing if they commit to a real security initiative. I’d like to explore this idea more to help them understand the impacts.

No, I’m not aware of any study linking security with productivity metrics. Or even correlating highly productive companies with their security postures.

Since I can’t point you in the right direction to get the answer you’re looking for, I’ll focus on providing a few aspects to look at if you do decide to link up with a university and perform a proper study.

My gut feeling is there is an empirical problem in attempting a study like this. While we can accurately measure the productivity impact of certain security controls, correlating that to the additional risk exposure would, by nature, involve introducing risk metrics that are neither as precise nor as accurate as those measuring productivity. Risk measurements in infosec involve the use of estimates that don’t accurately reflect the full financial exposure of insufficient controls. We can never fully measure losses or potential losses, thus the numbers will be oranges to the apples of productivity measurements. The result ensures it’s nearly impossible to use these measurements to balance security vs. productivity, and depending on how the numbers skew we will draw the wrong conclusions.

For example, they may show that passwords hurt productivity by X dollars, and security risk drops by an estimated Y dollars, with said estimate being nearly impossible to calculate accurately. We might end up thinking that because we’ve never had a system compromised due to a weak password, we don’t need them at all.

Okay, an extreme example, so here are a few ideas on how I’d look at the research.

Ideally I would try and find two organizations with equally good productivity, but variable security. If we can normalize enough of the variables, and find a big enough sample set, that gives us a good macro view on any causality. We might also look at a very productive company vs. a very secure company that isn’t productive. Good luck finding that.

But I think what you really want to do is devise a model to determine the productivity impact of potential security controls, not just security in general.

You should be able to measure that for any specific security control as long as you have a corresponding measurement of productivity. You should then map in estimates of risk measurements to make a decision. Otherwise, nearly everything will reduce productivity, but the corresponding risk might exceed acceptable tolerance. Also, this should take into account any alternative controls that achieve the same goal, with a lower productivity impact. And that control impact varies over time.

At this point we’ve just created enough complexity that measuring the performance impact of a security control is now greater than the performance impact of said control.

My advice? We spend more time identifying the most efficient ways to be secure with the least performance impact.