Information Technology Reference
In-Depth Information
Security Is Linked to Value and Ownership
Security is linked to value. People and organizations protect and secure
what is of value to them. One protects one's house because one owns
it. One does not spend money trying to protect the neighbor's house. The
concept of value is closely linked to ownership, which, in turn, is related
to property rights. This does not mean that one can protect only what
one owns directly — one can invest in protecting certain aspects of the
neighborhood because it indirectly affects one's own house security,
quality of life, and real estate values. Why is it important to determine
the owner? It is important because this person or entity that gets value
from keeping the asset secure ends up bearing the costs associated with
the security. These costs can be nontrivial.
Because most organizations have limited security budgets, resources
must be allocated among competing security needs. Before one starts
funding the most obvious areas — such as data — one must understand
the larger space that constitutes one's security problem domain. One needs
to understand that data, per se, has no intrinsic value. It is the “use” to
which this data can be put that gives it a value (Figure 16.4). Stealing a
person's social security number makes sense only if it can be used to get
something else of value — more information, or physical goods, or any
service. This differentiation between the data, and how it attains value
only when used, provides one with an opportunity to intervene at a
different place in the larger system. It allows one to work with a model
that is more sophisticated. A loss at one point in the chain can be
compensated by actions elsewhere. Instead of trying to physically recover
a lost credit card, it can be disabled in the credit card system, and
Security is linked to value
Figure 16.4
People protect what is valuable.
