by | April 11, 2009 · 12:00 am
Jump to Comments

Schneier’s Security Trade-offs

Bruce Schneier has 5 questions for assessing security and the trade-offs that are made during the assessment process.

  1. What assets are you trying to protect?
  2. What are the risks to these assets?
  3. How well does the security solution mitigate those risks?
  4. What other risks does the security solution cause?
  5. What trade-offs does the security solution require?

Schneier’s questions surfaced around 2004, but they still are a powerful way to analyze the need for and impacts of a security action. The questions can also be helpful to auditors when reviewing or testing an internal control (a la Sarbanes-Oxley); just substitute “control” for “security solution.”

Read Schneier’s thoughts on these questions and the trade-offs in this interview.

Final thought: When answering #4, don’t forget the risks to productivity that users may face when the security gate slams into place.

Advertisements

Leave a comment

Filed under Audit, Security

Tagged as , , , , , , , , , , , ,

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.