Freakonomics for Information Security

There are many big questions in IT security.  Big questions that have significant implications.  There isn’t a venue, outside of security conferences and academic papers, for such questions to be asked and answered.  Security vendors often step in and provide answers, restating questions in a way that suits the vendor’s product portfolio.

I’m a fan of Freakonomics.  Some of their work is controversial to be sure, however they attempt to answer questions few people even think to ask, but which often have significant implications for society.

I’ve been thinking: IT security could really benefit from a Freakonomics-like ‘think tank’ and not only try to answer some of the hard questions, but indeed think of the hard questions to ask.  Questions that may be unpopular, particularly with vendors.  Questions like:

  • What is the limit of the effectiveness of security awareness training?
    • What factors influence this limit?
  • Is there a relationship between the level of a person targeted in an organization and the size or cost of a resulting breach?
  • What is the optimal strategy for picking an anti-virus vendor?
    • What would happen if we didn’t use anti-virus?
  • Is there a relationship between the ratio of IT budget to IT security budget and the likelihood of being breached?
  • Are mega-breaches actually  rare, despite the headlines?
  • Is there a way to estimate the frequency that organizations are breached, but don’t know it?
  • How often are risk assessments  wrong?
  • What is the optimal strategy to prioritize patches?
  • How informative and useful are security vendor research reports, like the DBIR and M-Trends?
  • How quickly do I need to detect an attack happening in order to prevent data loss?
    • What does this say about the level of investment we should give to detection versus protection?
  • What alternatives exist to the current IT security arms race?
  • How much of responsibility should the designers of IT systems carry in a breach vs. the end user(s) who were involved?
  • How does the life cycle of IT systems impact security/security breaches?
    • For instance, the old, unsecurable OPM application, Windows XP/2003, and the move to the cloud
  • Are some IT development processes more “risky” than others?
  • Is it reasonable for a company, who is trying to maximize profit, to invest what is actually needed to properly secure it’s systems?
  • Is there a relationship between the background and experience of IT and/or infosec staff and the likelihood of being beached?
  • Are targeted attacks actually targeted?  Or do they just seem that way after the fact?
  • How quickly is the sophistication of attackers advancing?
  • …and many, many more.

Are these questions already being asked and answered?  How much interest is there in such a thing?