[Updated] The cost of securing systems a work in progress

The following graphic is a method of expressing a few very basic concepts in information assurance and security. It is backed up by some statistics but I’m not going to try and justify what is hand drawn. Another project that I’ve been working on has a lot of data to support most of the assertions made here. Go ahead and take it with a grain of salt, but I think you as a reader will like some of the generalizations that can be made. Some of the rules used to create this are pretty simple.

  1. A normalized curve represents the number of systems on the Internet. Those systems if analyzed for security preparedness (patches, configurations, system relationships, etc) are representative of the curve.
  2. Some number of systems have almost no security. Some number of systems are incredibly secure.
  3. There is a cost in manpower to secure, manage and keep systems secure. A person once said that information security to get one unit of security you needed to spend double the amount. What he was driving at was an exponential curve for cost. That is represented as the red line.
  4. Some number of systems are going to be pretty secure and that is the normal state of affairs.



Part of this is to explain why LulzSec and others have the ability to hack into various systems seemingly so easy. Though .1% may seem like a very low number when you consider the vast number of systems in even one modest information technology organization we’ve got a problem. There is a tendency to focus on the computer sitting on somebody’s desk, but the actual situation is that every smart phone, SCADA device, server, router, and so many other items should be considered. Even a modest organization is going to have skimped on some number of systems at the bottom of the security pile and over there on the far left side.

This is one of the reasons security is hard and why the title to this blog post is actually a pun.


The following graphic depicts the cost sensitivity as you skew the normalized curve towards less security and more security and what you can expect all things being the same within the curve.

Click on image to make larger


Leave a Reply