Schneier’s Security Trade-offs

Bruce Schneier has 5 questions for assessing security and the trade-offs that are made during the assessment process.

  1. What assets are you trying to protect?
  2. What are the risks to these assets?
  3. How well does the security solution mitigate those risks?
  4. What other risks does the security solution cause?
  5. What trade-offs does the security solution require?

Schneier’s questions surfaced around 2004, but they still are a powerful way to analyze the need for and impacts of a security action. The questions can also be helpful to auditors when reviewing or testing an internal control (a la Sarbanes-Oxley); just substitute “control” for “security solution.”

Read Schneier’s thoughts on these questions and the trade-offs in this interview.

Final thought: When answering #4, don’t forget the risks to productivity that users may face when the security gate slams into place.


Leave a comment

Filed under Audit, Security

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.