Is simplicity a security issue?
May 2nd, 2007 by Jesper Kråkhede
I had a rather long discussion with a good friend and former collegue today regarding simplicity in security. It is a well know fact that when your solution is to complex you probably have done it wrong. But the issue he had was that if you do not implement a security solutions so it is simple for a user to handle they will find a way to circumvent it. This of course makes it quite interesting when doing ROSI-calculations. The ordinary ROSI goes like this:
(Cost of risk) – (Mitigations Actions) = Total Amount Not Lossed.
The question is if the cost of simplicity should be included in the cost for mitigations actions or if this should be presented as a specified amount? Or to write it more simple. What costs do you include in the mitigating actions? If your solutions is way to complex your users will find another way around making your cost of control rise to the same cost as the risk.
So in short. Use simple solutions that has a clearly communicated business need.