Bruce Schneier has 5 questions for assessing security and the trade-offs that are made during the assessment process.
- What assets are you trying to protect?
- What are the risks to these assets?
- How well does the security solution mitigate those risks?
- What other risks does the security solution cause?
- What trade-offs does the security solution require?
Schneier’s questions surfaced around 2004, but they still are a powerful way to analyze the need for and impacts of a security action. The questions can also be helpful to auditors when reviewing or testing an internal control (a la Sarbanes-Oxley); just substitute “control” for “security solution.”
Read Schneier’s thoughts on these questions and the trade-offs in this interview.
Final thought: When answering #4, don’t forget the risks to productivity that users may face when the security gate slams into place.