Superconductor

Do audit logs really help prevent security incidents or not? They don't directly stop anything from happening. Instead they rely on the threat of being discovered to keep people from doing things that they shouldn't do. They certainly help identify exactly who did something, but that's not 100 percent accurate. A hacker might be able to impersonate someone else, in which case the logs would show the impersonated identity as the one who's causing trouble. Or hackers could just delete the logs or the part of the logs that what they've done. So does logging really help or not?

This is very similar to the situation where police use video cameras to record what's happening on the street. Video cameras also don't directly stop criminals from behaving badly, but rely on the threat of being caught to keep them from committing crimes. In the case of video cameras, there seem to be studies that both support their effectiveness as well as claim that they don't do any good. Like in most public policy debates, both sides of this particular issue probably selectively quote statistics that support their position, which makes it hard to decide what's really true. So video cameras might or might not be effective at preventing crime, but they're probably effective at helping catch criminals after they've committed a crime.

I've never seen any reliable data on the effectiveness of audit logging, but I'd guess that it's very similar to the use of video cameras. That's not very helpful, of course, because that means that we can probably say that audit logging either helps prevent security incidents or doesn't help prevent security incidents, just like video cameras apparently either do or don't prevent crime. I'd be very interested to see data which clarifies exactly how effective audit logs are at preventing security incidents as well as exactly how frequently they're compromised by hackers, but I don't think that that information is easy to find.