Kim Cameron’s post called “The economics of vulnerabilities …”, highlights a few key points made in Gunnar Peterson’s notes about the importance - when making security decisions - of keeping into account the (1) assets at stake in an organization and (2) their value.
Specifically, I found the following point very interesting:
“… If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!”.
I tend to agree that quite often decisions and investments made in the security space are not really driven by risk management and/or “value-at-risk” criteria.
This is also true in the Identity Management (IdM) space. Quite often the starting point, when making investment decisions in this field, is purely on IdM functionalities and the “general” added-value that they could provide to a business: it would help coupling this with the analysis of the actual business assets at stake, to be protected (business processes and services, information, etc.), their values, the involved threats and related risks.
As previously mentioned in my blog, I believe that we should start discussing about the “Economics of Identity Management”, in the wider context of “Economics of Information Security” …
In the medium/long run, what are the consequences (in terms of costs, risk exposure, usability, agility, reputation loss, etc.) of decisions made in the space of identity management, given the context and the involved assets? What are the feasible trade-offs and available options? Which key factors are truly relevant and need to be kept into account to make informed decisions?
So far, I have found no major discussions about the “Economics of Identity Management” and the above points. I am very keen in getting your input, observations and links.
In the context of the Identity Analytics R&D project, I am indeed interested in researching and exploring this area.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment