Schneier’s Security Trade-offs

Bruce Schneier has 5 questions for assessing security and the trade-offs that are made during the assessment process.

  1. What assets are you trying to protect?
  2. What are the risks to these assets?
  3. How well does the security solution mitigate those risks?
  4. What other risks does the security solution cause?
  5. What trade-offs does the security solution require?

Schneier’s questions surfaced around 2004, but they still are a powerful way to analyze the need for and impacts of a security action. The questions can also be helpful to auditors when reviewing or testing an internal control (a la Sarbanes-Oxley); just substitute “control” for “security solution.”

Read Schneier’s thoughts on these questions and the trade-offs in this interview.

Final thought: When answering #4, don’t forget the risks to productivity that users may face when the security gate slams into place.

Leave a comment

Filed under Audit, Security

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s