One of the hardest things about being in information security is the
frustration.

The longer you’re in the field the more you’re exposed to ridiculously
insecure systems that nobody seems to want to fix. We know how to fix them.
We often have the money. And security people are explaining—at maximum
volume—exactly how to do it. But it doesn’t happen.

I’d like to propose an explanation and name for this phenomenon—the
Efficient Security Principle (ESP).

The Efficient Security Principle

1. The security baseline of an offering or system faces continuous downward
pressure from customer excitement about, or reliance on, the offering in
question.

2. The baseline for an offering’s security will be set at the point at which
people will not stop using the offering because it’s insecure.

3. The better the offering is, the lower the security baseline can be
without losing customers.

In other words, the way we know something has the “right” amount of security
—acceptable, not ethically or morally—is when people
just keep using it. There are countless examples.

• Online companies, when they get hacked constantly

• Email use at companies, when it’s the #1 way to get compromised

• Online banking, when fraud is constant

• Front door locks, when they’re trivial to pick

• The internet in general, when we know it’s an open wound

We use these things anyway because the value they provide massively
outweighs the security risks in our minds.

The moment enough people stop using something due to security being too bad,
the baseline goes up. And not before.

How to use this principle

If You’re a Technical Security Expert
Security experts often
believe the level of security for a given system is much lower than it
should be. Which makes sense. We’re close to it. We see the depth of the
problems. And we know how to make it better.

Recommendation: Realize that it’s not about us as technical
security experts. Realize that it’s about the bigger system, which is
primarily concerned with the functionality they’re getting from an offering,
not with its security risks. If people in general know the risk and they’re
still taking it, that’s just because they value the offering that much.
Don’t take it personally.

If You’re a Security Leader
Even security leaders within large
organizations can become disillusioned because they don’t see their programs
being taken seriously. Just like the technical implementers, they know how
to improve security and they can get quite upset when nobody is listening.

Recommendation: First, make sure the baseline is actually
where people think it is. If there are security gaps that the company—or its
users—don’t know about, make those visible to close the gap of knowledge and
get additional support. Second, find innovative ways to raise the baseline
in a way that doesn’t inconvenience the company or its users. They may not
want to spend much extra effort to raise the baseline, but they won’t object
if it goes up without effort on their part.

Summary

1. The Efficient Security Principle says that security is only as good as
   it needs to be to keep people from abandoning the service, and that the
   more popular or essential the offering, the lower the security can be.

2. Progress is still possible—especially through policy change and
   regulation—but it mostly comes gradually, at glacial speeds, or in fast
   jumps from major incidents. But security experts loudly calling out how
   low the baseline is, and gesturing wildly towards the solution, seldom
   results in change.

3. Passionate security experts struggling with low security baselines
   should absorb this truth so their mental health and job satisfaction
   don’t suffer unnecessarily.

NOTES

• Thanks to Saša Zdjelar and Clint Gibler for their insights while
  talking through some of these ideas with me, and Saša for the email
  example.

• The principle applies most to very large systems, like the internet,
  or the overall security of a massive publicly-traded company, not
  granular or small-scale mechanisms.

• There is a natural, glacial upgrade of all security just generally as
  a result of technical improvement, and within companies that are
  working on it diligently. If it’s invisible enough, the change can
  come naturally in a way that doesn’t bother users, which is
  technically a lifting of the baseline. But it’s so gradual that it
  doesn’t really apply to a given point of time when someone is
  wondering why security isn’t better.

• Saša Zdjelar points out that SMS is a good example of where the
  danger became too great and a global push happened to phase it out in
  a relatively short amount of time.

• There are also Security Blindspots where security experts know
  something that the public doesn’t. So they’re using the offering now,
  but if they knew how bad it really was, they might not. That’s a
  special case that doesn’t apply here. This principle deals with the
  situation where the functionality is deemed more important with full
  knowledge, not with situations where knowledge is unavailable or
  withheld.

• I wrote a similar essay about this in 2018 called Why Software Remains Insecure, but didn’t call out the concept as a principle.
  

• Pardon the formal, “I’m so smart” tone of the piece. I’m trying to
  make it evergreen, and thus remove any hesitation or personality from
  it. It’s really still just a capture of a Frame of thinking that I
  find useful, and I’ll continue to upgrade it as I see opportunities
  for improvement.