Saturday, July 31, 2010

Enterprise-Size Authentication Is Not Just About Avoiding False Positives

When you're setting up an authentication method for access to an enterprise information system or to the enterprise premises, you don't want to just worry about false positives. You need to worry about the false negatives also.

Think about the logon screen of an application or website, asking for your username and password. The biggest worry of IT people behind that screen is to make sure the wrong people do not access the system. I think they should also care about the number of times the right people can't access the system either.

That's no big math, but suppose you would change a logon screen with 0.1% of false positives and 1% of false negatives (each losing the company 0.5$ because of the time lost for work) for a new logon screen with 0.01% of false positives and 3% of false negatives. Additionally, suppose the logon screen is used by 10,000 employees five times a day, 300 days a year.

The change would represent a loss of:
2% of additional false negatives
x 0.5$ each time
x 10,000 employees
x 300 days a year
x 5 times a day
which equals 150,000 $ per year.

It makes sense to acquire the new logon screen (let alone its own cost) if dividing by ten the losses due to intrusions in this system saves you more than 150,000 $ each year, that is, if the losses due to intrusions are above 170 000 $ per year, roughly.

Friday, July 30, 2010

Monthly ITsec Leadership Quotes and Articles: July 2010 (and June too)

Positive Leadership: Invest in People Building a Culture of Innovation.

Leadership Essay by former student Vince Fitzpatrick on the SANS Technology Institute's "Leadership Laboratory". The author comes back on the leadership he used when he was first appointed as CISO. It really reminds me of my own beginning.

Executives are Not Stupid on, helpful to debug IT workers and ITsec workers when they think that everything is the management's fault.

Five reasons projects fail on Michael Krigsman's IT Project Failures.

'Wicked problems': collaboration, risk, and failure also on Michael Krigsman's IT Project Failures.

CISO and CSO Reporting Structures on the Security Recruiter Blog, on the shift of ITsec from defence to legal compliance.

Why "Doing ITIL" Doesn't Work (And How to Fix It): a direct, simple, summary of why ITIL is no silver bullet. Keep in bookmarks in order to cool down a manager, some day.

Can You Compete With the Next Generation of Security Leadership? (Yes, we can.)