Is information security like preventive health care?
It’s hard to find a good model for the cost-effectiveness of information security. Traditional risk management methodologies fail miserably because the unknowns that information security addresses typically can’t be quantified like the unknowns that risk management methodologies are designed to handle. This means that the model of information security as an insurance policy really doesn’t work very well. What other models might work better? What about preventive health care? Preventive care is similar to information security in some ways. In both cases we spend money to prevent bad things from happening, and we hope that this will reduce the need to spend money after the bad things have happened. According to the survey of medical literature done by Joshua Cohen, Peter Neumann and Milton Weinstein that was recently published in the prestigious New England Journal of Medicine, it turns out that most types of preventive care really aren’t worth doing. Their analysis shows that, on averag
