Information Technology Reference
In-Depth Information
why security must be viewed from a systems perspective. Diligent efforts
restricted to only some portion of a larger system may leave other doors
open.
What Are the Options Outside of Technology?
Technology is not the only way to protect against risks. Insurance is a
popular form of managing risks in other industries. The insurance related
to information security, however, is a relatively nascent area and the
options may be limited.
Not every risk must be resolved through investments. A business may
be prepared to bear the costs associated with the risks if and when they
materialize. It may be a valid choice for some small and medium busi-
nesses. In a similar manner, some companies may not have a full-fledged
security initiative, but choose to increase the security of some of the
existing processes. For example, a company may start encrypting backups
and treat it merely as an enhancement to the back-up process.
In certain environments, it makes sense to display some aspects of the
available security. A visible security apparatus can discourage aggressors.
Signs put up by home security agencies, or, for example, car alarms, act
as a deterrent. They exploit the fact that the intruder has a limited window
of opportunity in which to work, and would prefer to invest his time and
opportunity elsewhere, where there is no such deterrent. Many Web sites
have started putting on security logos. Sometimes, the logo reassures the
customer more than it deters the attacker.
Understanding Security Costs Is Important
Businesses are still trying to understand the costs of security. It is clear
that it is not a one-time cost. Security costs extend throughout the life
cycle of the application and could be substantial. Even if the application
is not functionally enhanced and left untouched, it may require security
maintenance because new threats, new information, and changes to
implementation environments can make a “secure” application insecure.
We are at a stage where security costs are often underestimated. As
more experience is gained, these estimates will definitely improve. Because
these costs can increase the overall cost of the project and infrastructure,
there may be a temptation to ignore them, leaving security to be taken
care of by someone else. Bid evaluation procedures should be modified
to explicitly bring out security-related costs.
Existing projects may not have included security-related development
costs in the initial estimates. This might surprise some customers who
