Is information security like preventive health care?
It's hard to find a good model for the cost-effectiveness of information security. Traditional risk management methodologies fail miserably because the unknowns that information security addresses typically can't be quantified like the unknowns that risk management methodologies are designed to handle. This means that the model of information security as an insurance policy really doesn't work very well.
What other models might work better? What about preventive health care? Preventive care is similar to information security in some ways. In both cases we spend money to prevent bad things from happening, and we hope that this will reduce the need to spend money after the bad things have happened.
According to the survey of medical literature done by Joshua Cohen, Peter Neumann and Milton Weinstein that was recently published in the prestigious New England Journal of Medicine, it turns out that most types of preventive care really aren't worth doing. Their analysis shows that, on average, it's really no better to spend money on preventive care than to treat existing conditions. This doesn't mean that all types of preventive care aren't worth doing. There are many cases where preventive care pays. Counseling adults to quit smoking is apparently an example of this, as is providing flu vaccines.
Cohen, Neumann and Weinstein also list cases where preventive care is beneficial but very expensive, things like "newborn screening for medium-chain acyl-coenzyme, a dehydrogenase deficiency." (Yes, I'll admit that I have absolutely no idea of what that means.)
In some cases, preventive care actually increases costs and worsens health. Treatments like "antibiotic prophylaxis (amoxicillin) for children with moderate cardiac lesions who are undergoing urinary catheterization" is apparently an example of this.
So if information security is like preventive health care, how well would popular information security technologies fare in a similar analysis? It's probably not too hard to come up with examples of technologies where it's no better to use a security technology than to just absorb the cost of not using the technology at all. Are there any obvious examples of technologies where you'll probably end up both spending more and getting worse security if you use them?
Comments