Incertainty and decisions (1)

Security for the majority of us is a decision making game. Unless we are a terrorist or a mercenary we will most likely be on the defensive side of the operations. Being on the defensive side is often trying to fill holes with a limited budget while being everywhere at the same time, it sucks and we all know it. You have a limited budget, uninformed or misinformed managers, ignorant vendors and you’re trying to protect company data.

The limit on the security budget is often parallel to the limit of the support you get from upper management.

Is everything really lost then? Isn’t there anything we can do?
There are many things that can be done but the most important one is to be able to decide correctly. We don’t know who the attacker will be or where he’ll come from, we don’t know when he will attack and we don’t even know what he’s looking for. The only thing we can be sure of is that he’ll attack.

We can look at the company we work for, a 50 employee, family owned shoelace manufacturer for example. Who would attack us and why? Shoelaces aren’t worth much on the black market and the patent drawings you have in the safe… well it’s basically a string right?

Unless you use solid gold machines for the production we can dismiss any physical attack, thus minimize our physical security investments. Today’s technology allows us to have highly effective systems such as motion detectors and alarms at rather low costs which would be enough to stop thieves and delinquents. We can also dismiss any attacks on the personel except for some extreme scenarios like hostage situations or looting, both of which are police business.

The main targets then would be information and financial.
Defacing the company website, stopping all internet communication (mails and VoIP), accessing employee records or gaining access to bank accounts can be the most imminent threats we would have to cover.

These categories would be mainly reversed for a jewelry shop where physical security would be more important. An initial prioritization of threats will help us get better direction for our security investments. We then have to think “what would they go after?”.