Don’t fall into the security trap of only focusing on the weakest link
“Your security is only as good as the weakest link.”
We’ve all heard it said; perhaps we’ve even said it ourselves. But I have a problem with this saying.
It tends to imply that you should focus on the weakest link which often isn’t the case especially if, in the case of PBCaK – problem between computer and keyboard – the weakest link is hardest to solve. It’s not necessarily the issue that’s going to give you the quickest ROI and risk reduction – and it’s also usually mathematically inaccurate.
It’s not that the analogy is bad – infact it’s very good – it’s just often used incorrectly. Consider this scenario:
So, if your security is only as good as the weakest link, and the weakest link (risk 3) has an annual likelihood of 15%, you have a 15% chance of a breach in a year, right? Wrong. Your security is infact the combination of the weakness of every link.
The simplest way to avoid a breach is to calculate the likelihood of not being breached, and then converting this into the breach likelihood by subtracting from 1. So, in this case, the probability works out as:
In other words, there is a 44% chance you will be breached in the next year in the illustrated scenario. Note that this is less than the sum of the likelihoods which would be 55% - if you toss a coin with 50% likelihood of tails twice you are not guaranteed to get a tails, even though the likelihood sums to 100%.
The key is to take a holistic view rather than focus on the weakest link – as many of us have been encouraged to do by the misleading adage. Otherwise, you may be ignoring other issues that in aggregate could be more significant, and may be more tractable.