Secure Enough

I have a co-worker who lives in a safe neighborhood. He bought a house that came equipped with a security system, so he looked into the cost of using it and decided to take some less expensive measures to protect his castle. He was more worried about his dogs getting out of the yard than he was about someone breaking into his house so he spent money on repairing the fence and he bought some of those little “Not For Climbing” carabiners to secure the gate latches so the dogs couldn’t pop them open.

Last winter there was a crime wave in his neighborhood. Burglars invaded garages and stole stuff out of the garages and out of the cars parked in the garages. People had purses, wallets, guns, electronics, etc. stolen. The police deduced that the burglars slipped in through open gates and then into un-locked garage windows or pet doors. My colleague’s house wasn’t bothered because it was just slightly more difficult to get to and the burglars left it alone. His house wasn’t super-secure, it was secure enough.

Information security costs money. The question is how do we strike a cost-benefit balance? It depends on an organization’s appetite for risk and the value of the target the organization presents. In other words, what are the organization’s crown jewels and what is the cost of protecting them vs. the cost of losing them?

An easier lesson is, if you are going to leave your garage windows unlocked, don’t leave your cash and credit cards (and car keys) in the unlocked cars contained by the garage.

Left:  A simple, effective, redundant, though primitive, intrusion detection system.