Water is critical to life. Many sources suggest drinking more water can lead to better health. And yet I’m sure you heard the story of the woman who died as a result of drinking too much water during a radio station contest in 2007. Water intoxication results when our water intake and water losses are grossly different. The levels of electrolytes in our system can get out of balance, causing basic functions of our body to cease operating.
Too much of a good thing–even water–can be bad.
Minimum Effective Dose
A minimum effective dose or MED, as described in effective dosage of pharmaceuticals, is the smallest dose that will produce an effective outcome. Think of acetaminophen, the main ingredient in Tylenol. If you take the right amount, it can reduce fever and pain. If you take too much, it can harm your liver. Likewise with narcotics, overuse can lead to addiction and other ill effects.
The right dosage of medicine is often based on a variety of factors, including the patient’s body mass, the rate of absorption of the drug, and others. Medicine dosage is very rarely “one size fits all”.
In his book The 4-Hour Body, author Tim Ferriss discussed the concept that MED doesn’t have to be restricted to medicines. Consider any activity as a “dose” and then think of how the MED might apply. Boiling water, for example, means that you heat the water to 212°F (100°C). Heating it any higher is wasteful and doesn’t help reach the desired outcome.
What’s the right security dose for you?
Applying information security controls is also an activity that requires a minimum effective dose. While applying too much security rarely leads to liver failure or crippling addiction, it can lead to significant waste and inefficiency. Avoiding this waste is one of the main principles behind minimum viable security.
Have you ever used a computer that had two or more anti-malware products installed on it at the same time? Anti-malware software kicks in when any file is read from or written to the disk of the computer. Having two products installed creates a flow like this:
- You click to open File X.
- Product 1 activates upon read of File X, and checks its own database to see if File X has a virus.
- Product 2 activates upon read of Product 1’s database, and checks its own database to see if Product 1’s database has a virus.
- Product 1 activates upon read of Product 2’s database, and checks its database again.
- And then Product 2 repeats the entire process when it gets its chance to scan File X.
Having two active anti-malware products means 6-8 activities every time the system reads a file. It also requires both anti-malware databases to be in memory, reducing the space for other programs. The end result is a computer which behaves slower than dial-up.
Applying more security didn’t make the system “more secure” – just like heating water past 212°F doesn’t make the water “more boiled”.
The Value of the Minimum
Minimum viable security can be thought of as an MED for security. Doing everything you must do to protect the organization and its information assets – without waste. Some technical controls are part of minimum viable security: firewalls, patching, anti-malware, and limited privileges. Non-technical controls are necessary too, such as physical security, having clearly defined policies, and increasing awareness.
Do you have an idea for what is and isn’t part of minimum viable security? Leave a comment below and join in the discussion.
Adding more security to a system is always an option – but we believe that it often is not the best option. Too much of a good thing often isn’t. We apply our creativity, passion for security, and insight in the industry to find the most appropriate solutions for our customers: the minimum effective dose of security for their organization.