Information Security (infosec) is massively complex, with piles of frameworks and mind-maps to help us make sense of it all. These products share a key weakness:
- They focus on who, how, or what, and ignore or presuppose why
- By ignoring the purpose of infosec, or by assuming there’s only one “correct” motivation, we talk past each other and fail to agree on priorities and strategies.
Why Infosec? Economics, Edicts, Ethics, and Excitement (E4)
In this inaugural post, let’s start with why and create a clean vocabulary to understand infosec motivations. Not everyone agrees, and we too rarely get on the same page before throwing time and money at infosec problems. Conversations abound about who should be doing what, how they should do it, with which tools, etc. — all of which is important — but they go nowhere if the parties are pursuing fundamentally different goals. If their purposes aren’t in sync.
In our years as practitioners and advisors, we’ve seen infosec motivations in the following four categories: economics, edicts, ethics, and excitement. These are all “true” in that they’re held by real infosec stakeholders, in varying combinations and to various degrees—they differ in the effort needed to assume anothers’ point of view. These categories are descriptive groups of pre-existing motivations, not mandates, and each gets a full treatment below, including strengths, weaknesses, and who’s often motivated by each.
Purpose matters: knowing players’ motivation helps everyone communicate. Moreover, consensus on “why infosec” before problem-solving helps avoid equivocation and talking past each other.
These categories fall along two axes: focus (protector vs. protectee) and discretion (flexible vs. rigid). This lets us visualize them nicely, and leads to a nice correllary: the likelihood of miscommunication increases as you get farther apart in this space. We explore this in more detail later.
This is a tool, a model, not (yet) empirical research. We think it produces better outcomes, and we’d bet it stands up to more rigorous analysis, but caveat emptor.
Economics (a.k.a., Risk, Money, Financials)
Economics refers to the financial and functional motivation for information security, the analysis of exposure and risk. Money. Business. Mission. It’s protectee-focused and flexible in its realization.
This is the motivation presupposed in all the CISSP® textbooks: we might get attacked and getting attacked costs money,
ergo the purpose of security is to 1) get attacked less often, 2) make each attack less expensive.
The money saved is the return on (and purpose of) the infosec investment.
Why infosec? It saves money, it supports the primary mission of the organization.
This motivation often involves a quantitative or probabilistic risk assessment where we gauge the severity and likelihood of infosec incidents. We often see annualized loss expectancy (ALE) or similar techniques used to find “real” monetary value for expected losses—the details are beyond the scope of this article, but we may explore this in the future.
Organizations then balance how they want to:
- Accept the risk (do nothing)
- Avoid the risk (stop the risky activity)
- Transfer the risk (through some type of insurance)
- Mitigate or reduce the risk (through controls/countermeasures - infosec lives here!)
This motivation is appealing to business leaders, for obvious reasons, and stands is the de facto standard purpose for most business-related infosec conversations. We often start and end here because it’s most clearly linked to the resources needed to execute the work, especially in the commercial world. This also includes those motivated by “mission assurance” or “functional impact” even in the public-sector (e.g., military and other government organizations) — it may not be strictly dollars-and-cents, but to these folks the purpose of infosec is to ensure the “real business” of the organization happens.
It seems simple until you try to get real numbers: What’s the dollar-value for exposure? What’s the quantitative risk? Rather than fight those battles, many teams apply the availability heuristic and default to examples from vendors or the media.
Strengths: Precise, rational, quantitative, objective, business-friendly
Weaknesses: Hard to quantify risk and exposure in practice, removed from the action (“bean counters”)
Common Among: CEOs and boards of directors, investors, finance and human resources, employees (non-security staff, those doing the work infosec protects)
Edicts (a.k.a., Mandates, Rules, Decrees)
Edicts refer to the panoply of guidelines, directives, frameworks, and regulations that mandate infosec activities. They are protectee-focused and rigid in their realization.
This is the motivation underpinning countless compliance efforts: some authority (government, industry, etc.) decided infosec is a good idea and they know best (or they can punish us if we deviate), ergo the purpose of security is to comply with the mandate(s).
Why infosec? We’re told to.
This motivation is not sexy, but is incredibly common, particularly in certain sectors (critical infrastructure, finance, healthcare). Of course, the people developing the mandate had their own motivations in one or more of the other quadrants, but that’s often opaque to the holders of this motivation. Organizations determine the scope and degree of each mandate, from the formal (law/regulation, industry guidelines) to the informal (media, industry fashion, vendor sales language, consultants).
Like economics, this motivation is often unstated and presupposed, but there’s enormous power in acknowledging compliance as a baseline purpose. It’s also powerful to see how this may drive completely different decisions than a strictly economic motivation.
And you don’t have to feel the same about your mandator to be in this bucket together. Some like it (“they know best, I don’t have time to think about it, everyone spends the same”) and some hate it (“it’s crippling and ineffective! damn the regulators!”) but all are motivated by it. Similarly, it doesn’t hinge on the “correctness” of the mandate, just its effect.
Strengths: Straightforward, directive, standardized, representative of best practices
Weaknesses: Costly, inflexible, boring, outdated, ineffective
Common Among: Regulators and participants in regulated industries, Information Technology (IT, especially on teams with no dedicated infosec personnel), legal, some consultants
Ethics (a.k.a., Morality, Imperatives, Principles)
Ethics refer to the normative guidelines for right and wrong, good and evil, that can inspire infosec activities. They are protector-focused and rigid in their realization.
This may seem a bit dramatic to some, but this motivation runs deep among certain participants in infosec. To holders of this motivation: cyber threats are wrong or evil, ergo the purpose of infosec is to meet our moral duty to counter them.
Why infosec? It’s the right thing to do.
The particular ethics or principles vary widely:
- Formal ethics like utilitarianism (“hacking is wrong because minimizes social utility/happiness/satisfaction”) or Kantian imperatives (informally, “hacking is wrong because we wouldn’t want everyone to do it,” a complicated cousin to the golden rule)
- Informal personal morality, inclusive of things like patriotism.
And, like edicts, you don’t have to agree on the specific imperatives to share ethics as the purpose for security: cryptography advocates and the FBI were on opposite sides of a 2016 infosec-related battle, and both were heavily motivated by principles.
Strengths: Inspiring, clear, directive
Weaknesses: Inconsistent (ethics differ), qualitative
Common Among: National security (law enforcement, intelligence, military), civil rights and privacy advocates (e.g., EFF, ACLU), activists, citizens (distinct from employees, above)
Excitement (a.k.a., Fun, Interest, Pleasure)
Excitement refers to the intrinsic fun, the cool-factor, that inspires many infosec participants. It’s protector-focused and flexible.
This is the dynamic cousin to the ethics motivation, and is dead simple: cyber threats are interesting and so is fighting them, ergo the purpose of infosec is to enjoy the work.
Why infosec? Because it’s fun.
Infosec is an incredibly dynamic and varied industry, full of countless things to learn and problems to solve. It benefits from a sense of challenge and competition (“us vs. them”), and this attracts and retains many of its practitioners. It’s perhaps not as formal or “serious” as the other three categories, but for the teams executing the day-to-day activities it’s arguably the most important.
Burnout and turnover are endemic to many infosec career fields, and staying in tune with this motivation can play a big role in effectiveness and impact.
Strengths: Fun, interesting, inspiring, innovative
Weaknesses: Inconsistent, qualitative, removed from other stakeholders
Common Among: Red teams and pen-testers, security and threat researchers, incident response, hunters, and other security operators, some national security (especially intelligence)
Implications of the Axes (Focus and Discretion)
The focus axis describes whether a motivation is more strongly associated with those protected by infosec (protectees) or those doing the protection work (protectors). The discretion axis describes whether a motivation is more strongly associated with those who prefer flexibility (high discretion) or rigidity and standardization (low discretion).
- Aligning with protectee-focused motivations (Economics and Edicts) makes it easier to get resources.
- Aligning with protector-focused motivations (Ethics and Excitement) makes it easier to inspire teams and reduce burnout.
- Aligning with high-discretion, flexible motivations (Economics and Excitement) makes it easier to be creative.
- Aligning with low-discretion, rigid motivations (Edicts and Ethics) makes it easier to standardize.
The grid created by these axes also gives us a nice corollary:
Corollary 1: The probability of miscommunication increases as you get farther apart in this space.
This is particularly clear on the diagonals:
- Economics vs. Ethics (e.g., “prosecuting the attacker isn’t worth the cost in overtime and exposure …”)
- Edicts vs. Excitement (e.g., “this compliance effort is boring the hell out of our security operations team …”)
People and organizations are motivated by more than one of these categories. You can think it’s virtuous to catch hackers and still want to save money. It’s a matter of degree, and of perspective.
This model helps the CFO understand her ops team wants to find bad guys before updating the exposure spreadsheet. It helps crusading investigators consider the expenses of victims, and it helps auditors see the effect of another checklist on the thrill of a hunt. And all the reciprocals. You might still make the same decisions, but it’ll be with open eyes.
It’s a few questions, asked explicitly: why does my organization or team invest in infosec? Why do I? Why do “they?” How might we find common ground before wasting time and money?
Then we can get to the frameworks and mind maps.
Open Questions (Future Posts?)
- Is this really true, or just a fever dream? Give me more examples. Give me some data.
- How do I know my motivation when all of them apply? How do we get a more nuanced picture?
- Which controls or approaches are most consistent with all 4 areas? Are there universal wins?
- Which frameworks (tactics, processes, tech, etc.) applies best to which motivation(s)?
- Is there a better acronym for this nonsense than E4? One that spells something at least?