Why Bruce Schneier is wrong times infinity
commentary On his Web site, Bruce Schneier describes himself as "an internationally renowned security technologist and author". If Schneier is indeed the "guru" certain parts of the media portrays him to be, when why when interviewed by ZDNet.com.au's sister site Builder AU, did he reveal himself to be so clueless?
In the video clip above, Builder AU editor Chris Duckett asks Schneier "why security cost justifications are complete bullshit?" While Duckett isn't known for pulling punches, he's actually quoting Schneier here.
At first, Schneier's explanation of ROI seems sensible, he talks about "measuring the cost of an attack" and "working out the probability of an attack". He then rightfully points out that "it's how all insurance companies build their business models."
But then things get kooky. "This fails when you have very, very rare and very, very expensive events," explained Schneier. "If you have taken any infinity theory — which I don't recommend — you are effectively multiplying zero by infinity."
Now perhaps I don't understand the complexities of Schneier's maths, but if a security threat has a zero probability of occurring, it seems to me that it isn't a security threat. Further, why are you multiplying by infinity? What security attack could possibly have infinite cost? Businesses have a finite value, just as there is a finite amount of money in the world.
Schneier makes a valid point by saying that calculating probabilities and costs of an ROI model is difficult — but it's really nothing a little maths can't solve. Speaking of maths, Schneier goes on to argue that small changes in probability can "completely perturb" IT budgets. Sounds scary.
"If the chance of you being attacked are say one in one million, and I change that to one in two million, who cares? I've suddenly halved the amount of money you should spend... I can completely perturb your budget," he says.
OK, so let's do some maths. Let's take Schneier's example and apply it to a small IT company worth AU$8 million. Let's take the worst case scenario and say that our theoretical one-in-one million attack will cost the complete value of the company.
In this case, the IT company should spend AU$8 dollars defending against the attack — the probability multiplied by the cost. If this probability moves to one-in-two million, then the company should spend AU$4 defending against the attack. As the probabilities get smaller — and harder to calculate — the cost variation become less significant.
If fact the truth is the opposite of what Schneier says — ROI is a problem when attacks have a very high probability of happening, not a very low probability.
To give a practical example — say you buy a shiny new Porsche. It's in all likelihood easier to insure the car against being struck by lightning than to insure it against theft. This is because the cost/probability ratios in insurance are much better for rare events. That is, insuring against rare events costs less.
However, this brings us to another problem with Schneier's argument. If an attack has a high probability of occurring, then it is easy to quantify because such attacks are common and lots of data exists to extrapolate their probability.
Not only that, but you can also calculate the uncertainties in your value, giving you an idea of how accurate any probability is. In probability analysis, values without measured uncertainties are considered meaningless, as any actuary will tell you.
So you can construct meaningful ROI models, because rare events are cheap and common events can be predicted.
Last time I checked, insurance was a multi-billion dollar industry, and remains very lucrative. It is built around the very laws of probability that Schneier disputes.
Disclaimer: Unlike Schneier, I am not an "an internationally renowned security technologist", just a dumb mug journalist. If you want to defend him, please do so in talkback below.