Criminal Effort vs. Security Effort

The other day, Peter wrote about an unreasonable investment in cryptography and information security. Walt and I both chimed in with our thoughts, but take for a moment the investment criminals make. Ignoring this fact is often the reason government officials, the media, and overprotective parents take extreme security measures that are really just theater.

As we’ve mentioned many times before, a determined attacker can always get to your data. Then again, you could also get a free iPhone by beating up some kid who has one, but you won’t. The investment is unreasonable with huge risks (not to mention a small reward). An organized crime syndicate could probably get their hands on a few though by paying people to do the robbing for them – big reward, little direct risk. See how that works?

Security needs to be evaluated in terms of effort – both ours (security folks) and theirs (crooks). Ask yourself, how much effort is someone willing to expend to get this (data, laptop, identity) and what will they lose if they fail?

That’s why someone probably isn’t going to drug you and hit you with a wrench for your ‘encrypted’ laptop. Nobody really wants to go through the effort or go to jail forever if they get caught. It’s more plausible for a teenager in Russia to attempt a Pentagon hack than it is for someone to mug you for data.

The effort put into security only becomes unreasonable if it greatly exceeds criminal effort.