Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Business Report

Data Security Is a Risk-Management Problem

It’s unproductive to think of security as a series of threats to be overcome, a computer scientist argues.

Computer security is an unsolvable problem. So instead of trying to solve it, companies should think of network security as a set of risks that are inherent in doing business online. Viewing security from that perspective will lead to better decisions and superior technological design.

Obviously, security gives rise to some straightforward problems, and businesses should examine whether they have solved them. The recent revelation that the payment protocols in some widely used e-commerce sites allowed customers to purchase even physical goods without paying is an example of a security problem that is quantifiable and solvable.

But more often, computer security is better tackled with a risk-management approach, one that does not require exact quantification. It’s a personnel problem—much like office conflict, minor theft, misrepresentation of employee credentials, and employee health. Consider that employees who take risks to get their jobs done are both assets to the organization and threats to computer security. For example, an employee who manages to tunnel around the corporate firewall to log in remotely sees the positive results of access from home. The employee’s supervisor sees only increased productivity. Security risks are part of getting the job done. Networking and connectivity inherently include risk just as hiring a human being inherently carries risk.

Security as risk management is not a new idea, but recognizing that the risks can never be entirely eliminated requires a different way of thinking. “Threats” must be countered or neutralized. In contrast, risks are mitigated or shifted. In the 1970s environmental regulators observed that the greatest risks may come from the pursuit of zero risks, and much the same can apply when critical business functionality is limited by security.

Because effective security management requires managing the human element, risk communication needs to be part of any mitigation strategy. Individuals will work around security constraints that prevent them from working effectively: “The computer wouldn’t let me” is not an acceptable reason for failure. If the choice is between computer security compliance and getting the job done, security compliance will lose every time. An employee who takes files home in order to work on the weekend experiences only increased output, and intends only the best for the organization. Conversely, if employees understand that they are indeed taking risks, and putting the organization at risk, then they can be persuaded to protect the organization. Computer security can be transformed from a set of seemingly arbitrary requirements (created by some technical others who do not understand the work to be done) into a reality of daily living, like locking the car, that everyone has to do.

Consider the difference between role-based access control (in which the data an employee is allowed to access is determined by his or her place in the organization) and a newer model called risk-based or incentive-based access control. Role-based access control assumes a perfect understanding about an individual’s role and his or her need for access to resources. Access may be difficult to gain, but it is typically long-lived and inflexibly spelled out in IT or HR departments. Employees are motivated to have as much access as possible, in order not to be blocked from seeing a file, for example, at what appears to them to be an arbitrarily determined moment. That often leads to workarounds, such as password sharing among employees who must access multiple systems to do their jobs. Yet sharing passwords and access structurally, systematically subverts access control.

In contrast, incentive-based access control provides a rough estimate of the risk inherent in accessing information. It grants an employee access to company data for the time period requested—for a price. Each employee has a risk budget, which is spent at a rate that corresponds to particular access rights and actions. So the employee who keeps access rights when they are no longer needed will have less freedom to work with sensitive data later. But an employee who urgently needs access can obtain it quickly and efficiently. Of course, certain tasks can remain always prohibited, such as approving a bidder or issuing a check. But overall, giving employees a risk budget rather than a static role gives them the incentive to minimize the employer’s risks.

Some researchers have proposed broadening the adoption of security standards by changing default settings in software and hardware so that security is difficult to avoid, or by striving to make overall systems easier to use. Inarguably, it is sometimes appropriate to force or persuade people to use security technologies. But each of these steps fails as a model for security as a whole because it approaches security as a goal that can be reached rather than a risk that must be managed. 

Viewing security as a series of threats that must be overcome is a vestige of the military model of computer security. Computer security is not a war to be won against the malicious. Rather, computer security is a continuing interaction with the networked environment. Just as the natural environment has inherent risks and benefits, so does the networked environment.

L. Jean Camp is professor of informatics and computing at Indiana University and the author of Trust and Risk in Internet Commerce.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Business Impact
Securing Data

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.