Managing Network Security

Why Bother?

Copyright(c), 1996, Fred Cohen

Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs have increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

The Argument for Lax Protection

A common discussion in information protection involves two people. In the cryptographic tradition, we will call them Alice and Bob.

The discussion usually drops off here with something about the idea that if you can't be perfect, you shouldn't spend a lot of money.

I am generally on the Alice side of this discussion, while the Bobs of the world have bosses that keep pushing them to spend less money on information security, want the newest and best of technologies, and are unwilling to sacrifice more than the meagerest of inconvenience regardless of the risks. The Bobs are generally knowledgeable about protection and desire to improve things, but they are caught in the position of being unable to convince their management to do more. Over time they start to give up and, eventually, protection falters.

The Boss's Viewpoint

To get a more complete sense of this, let's look at things from the point of view of Bob's boss's boss's boss, Cathy.

Cathy manages a large organization and makes day-to-day decisions about all manner of things ranging from which marketing firm to use on the newest release to the settlement options in a law suit. Cathy does not know a lot about information technology, but she does know how to make management decisions. When one of her executives complains about security getting in the way of production, she rightly asks her CIO why they can't provide adequate protection without getting in the way of production. Bob is then told in no uncertain terms to remove the impediments.

Bob can fight it or go along, but after writing the first 10 or 20 memos describing how he is doing something he feels is inappropriate at the order of his boss, he either gets fired or learns to keep quiet.

The Financial Case

Eventually, if Bob is going to get money for improved protection, he is going to have to convince Cathy and all the other bosses that their investment in protection will yield a return that is better than alternative investments they might be able to make with the same money. But Bob faces an uphill battle.

The first problem is that the information protection function usually involves a lot of hidden costs. These costs are hidden because current accounting systems don't accurately account for the time spent in information protection. For example, when a secretary who can figure out how to add a user to the access list for a printer adds that user, it might take 20 minutes of effort. This time is not generally recorded as part of protection management - it's included in the normal day-to-day activities of the secretary. It would cost too much to accurately account for all such costs by having secretaries and others who perform such tasks enter special codes in their timecards. As a result, there is no standard accounting for this sort of activity.

But what if we had a systems administrator add a user to the access list to the printer? In a rush job, it might take 5 minutes, but if done on a periodic basis when other users were being added to printer access lists, it might be done in less than 1 minute. And the systems administrator might know about some other side effects that the secretary is unaware of. The systems administrator would have to be paid more than 10 times as much as the secretary for the secretary to be cost effective in this role. Since most systems administrators cost only a little bit more than most secretaries, it's more cost effective to have systems administrators do systems administration. In fact, the return on investment is so good that it's a better investment than most of the other activities companies engage in.

But wait a minute - don't I have information protection confused with systems administration? Well...

Am I Confusing Systems Administration with Information Protection?

When I talk about information protection, I generally explain it this way. Information protection consists of two components; (1) information assurance (getting the right information to the right place at the right time) and (2) information security (keeping the wrong information from getting to the wrong place at the wrong time).

Systems administration is almost entirely done for information protection purposes. When you add someone to the printer's access control list, you are helping to get the right information to the right place at the right time, but if you don't do it right, you may get the wrong information to the wrong place at the wrong time.

How Much?

Cathy is beginning to listen ... Allright, but how much is it going to cost me to add all these systems administrators? How many do I need, and how am I going to pay for it?

The battle is half won, but we still have a language problem. Cost you? It doesn't cost money, it makes money! Information protection is profitable!

Let's look at the return on investment. As long as I use systems administrators to do systems administration and don't (1) induce much extra overhead in communicating what I need to get the job done or (2) create unnecessary delays in getting the job done by the additional steps needed to contact a systems administrator, it's profitable.

What's the ROI?

The return on investment is that for each dollar I spend on a needed systems administrator I save at least two dollars that would otherwise have to be spent by people who aren't systems administrators to do the same thing.

Don't believe me! Do your own little study. Take a list of ten or twenty common systems administration tasks and have them done by each of three systems administrators and three secretaries. Time everything, figure the costs, if they call for help, add the cost of the people who help them, and look at the bottom line. You will soon see that I have been very conservative in my estimate.

When Do I Stop?

A Joke: How many secretaries does it take to move Windows95 to a new computer? Three... or is it ten? Let's see, one to type Setup and two to recreate the registry... oh... they don't know how to edit the registry?... It's ten then. (1)

One answer is that you stop adding systems administrators when they stop having systems administration tasks to do. But maybe you want a sense of what the ratio of systems administrators to users should be. A good estimate is that one professional systems administrator is needed for every 20 normal users.

No way! I hear you... I know that in many, perhaps most situations there is more like one professional systems administrator for every several hundred users. That's one of the big reasons we have so many security problems.

What If We Don't?

Now consider this. If professional systems administrators are ten times more effective at doing their jobs than typical users, and the most cost effective ratio is one systems administrator for each 20 users, then without any systems administrators, users spend 1/2 of their time doing systems administration tasks. If systems administrators are only five as effective at systems administration as your users, without systems administrators, users spend 1/4 of their time doing systems administration tasks. Either that, or a lot of the systems administration tasks don't get done.

Ahah! In real organizations, people are not permitted to reach this level of inefficiency on a day-to-day basis, so instead, they don't do things that professional systems administrators in the right proportions would do - such as keeping proper backups - or properly configuring access controls - or checking system configurations on a regular basis - you get the idea?

When the ratio of systems administrators is too low, the only things that get done are the things that are absolutely necessary to keep systems operating. If the administrator can't get there in time, users spend their time as necessary to get systems to run - and as soon as they can print the document they need to print right now, they go no further. If that means that they won't be able to print something tomorrow - or that someone else can't print anything - so be it. Whoever is effected will deal with that problem when it comes - at the expense of still more wasted time and even less stable configurations.

Special Cases

Part two: How many engineers does it take to move Windows95 to a new computer? Twenty... but it only took ten secretaries! True, but then engineers are not secretaries you know.

Just because you know more about computers doesn't mean you're better at systems administration. There are a lot of highly paid programmers and engineers who know a great deal about computers and yet don't know very much about systems administration. They may know more about computers than systems administrators, but that doesn't make them better suited for the task. The people doing systems administration may be more aware of the current organizational issues than an engineer working on a special project. In other cases, the programmer might want to do something perfectly safe from their standpoint, but it may create problems elsewhere in the organization's network.

Even if you have people who are just as good at systems administration and know just as much about it as your professional systems administrators, it may not be a good idea to have those people do systems administration. Many programmers and engineers, for example, get paid more than systems administrators, and this makes it even harder for them to be cost effective in the systems administration role. So even in cases where you have an expert in systems administration as part of your team, it may be cost effective not to use them in that role.

There are special cases where more or fewer systems administrators are more cost effective. For example, some environments are very standard. If every system is identically configured and every user does the same thing all of the time, then it normally takes fewer systems admisnitrators per user to get the job done right.

Back to Bob

Where were we... oh yes, Alice and Bob we discussing protecting the organization from the Schlegenger attack and...

It is generally agreed that no protection is perfect and that protection involves tradeoffs, but many people take this as an excuse to give up on protection too easily. The true picture is that nearly perfect protection is often affordable, and highly effective protection usually results in an excellent return on investment.

Just as we can't live forever, we can't have perfect protection. But just as we invest in medicine because the cost is often justified by the return in longer life, the investment in information protection is often justified by the return in more efficient and predictable business operations.

The reason to invest in better information protection is that it gives a good return on investment. The point of diminishing returns is usually the point where you have highly effective protection. At that point, any cost effective improvement probably involves an exotic technology for some very special case.

About The Author

Fred Cohen is a Senior Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at


  1. The problem with the Windows95 registry is not really very funny. If you know how to edit the registry, you can make the new system work like the old one pretty quickly. If you don't know how to edit the registry, you have to reinstall all the programs and then recreate all of their configuration information. It's a lot of work and you can make a lot of mistakes.