Hi folks, Ed here. We're going to spend some time now focusing on management decisions that you make around cyber security. That might sound like kind of a supervisory sort of thing, but not really. Even if you're embedded in technical and architectural activity where you're doing a little more gearhead work, you're going to be making decisions about what's appropriate given a threat that may exist or not exist, for a given asset. So turns out there's two primary factors that we take into account when we're making security management decisions. The first is clearly the effect on risk, like is it increasing security? If I put a big, massive wall in front of something, then there's a good chance that that's going to be increasing security. But the second factor has to do with cost. And I use costs not necessarily in a financial sense, but more what's the impact? What's the overall impact in terms of usability, certainly in terms of money and so on? So, you can think of it as sort of the security versus what you're investing. Am I spending a lot? Am I getting a lot of security? So, let's think this through. So, there's a classic chart that you can see on the screen there that shows x and y grid. It shows the decisions from some point. So, for example, if your system exists in some state, and you make a decision to improve security, to increase security. Well, there's a couple of different options that might be true with respect to costs. One is increased security costs you money. For instance if you say, "I'm going to buy a firewall." Costs you money. You have to spend money. And that's a normal case. It's something that most of us are very comfortable with. You want more security, spend more money. Not a big deal. But there's another case that's a lot more interesting. And that's where increasing security potentially can decrease your costs. And I think most of you who have backgrounds in engineering or development know that it's cheaper to do something right than to do it wrong. Which means if you take the time to build code properly, for example, or design a system properly, or prevent attacks right upfront, then it's more secure, and saves you money. That's sort of the whole idea. If you had to, in a nutshell, kind of encapsulate what security management is all about. It's that. Now, on the other end of the spectrum, there are certainly cases what you see in practice, you see it all the time, where somebody is either increasing, decreasing security, whatever, and increasing costs. Like the worst case of all is that I decrease security, increase cost. Not a good idea. But you can think of a lot of cases where that may be true, where you're maybe introducing something that creates a false sense of security, for example, like you're putting something in place it's very expensive. It's a big tool. It makes everybody think that you're nice and safe. But you're actually not because you may be taking your eye off the ball from where the real threat is, because you've spent all this money on this whatever was functional or procedural mechanism that you're hoping would reduce costs. So, I think as we sort of work through this methodology for making decisions in terms of security and cost, I want you to keep that sort of in mind that the optimal situation is always to try to improve security and decrease costs. And the scenario that you want to avoid in all of your work activities, engineering or otherwise, is the scenario where you are decreasing security and increasing cost. That's certainly the scenario that you want to keep out of any use cases that you're involved in. So, now to kind of test our understanding here, let's think through a very simple little quiz. Let's start with authentication. Clearly, if I prove authentication for insiders, they're still insiders. So, it's not going to have much impact at all on insiders. If everybody who's already inside just gets a stronger form of getting into the building or getting into systems, they're still there. So, that's an example of spending money and not reducing the risk at all. So, that would be very bad. So, it might be good for other things. You might want to improve authentication to keep outsiders from your system, but if insiders is your concern, that's not the solution. Logging certainly does reduce risk. I think in the presence of surveillance, insiders are going to be a lot more careful about the kinds of things that they're doing. And then finally, increasing penalties probably does reduce the risk somewhat, but my personal style as an engineer is I'd rather be introducing a functional mechanism. But later on as we start learning about safeguards and countermeasures, you're going to find that there is not just functional mechanisms that come from the world of computing and networking, but there are also ones that involve things like penalty. Sometimes those are very useful. So, I hope that little quiz helps with your learning. And we will see you in the next video.
