If you haven’t heard of The Long Tail by now, you’re either not a student of Web x.0, only read the mainstream mass media, or you live under a rock. Or all 3. I was going to do some “esspraining”, but wikipedia does it way better than I can.

Here, this is the picture from Wikipedia:

In this picture, the part in green represents the high-demand, high-sales products/services and the yellow represents “The Long Tail” or low-demand, low-sales products/services that actually constitute the majority of sales. So in other words, if you’re a Netflix, you rent more movies simply by having all the obscure titles that a brick-and-mortar video store can’t afford the shelf space for.

This concept has also been used to explain blogs, where blogs represent The Long Tail and are free to talk about the niche subjects that the mainstream mass media ignores because the mainstreamers are constrained by time and applicability to their readership.

As with just about everything I write, by now you’re thinking “What does this have to do with information security?” Yes, I hear this quite a bit, so don’t be worried if it’s not immediately transparent.

Imagine the same drawring with “Level of Effort” (LOE) as the X-Axis and “Return on Investment” (ROI) (what I really want to say is “payoff” but I’m trying to be pseudo-scientific, so humor me) as the Y-Axis. It would look something like this:

Anything that is green represents “high-payoff activities” or “common sense security”–the easy controls that provide a high level of security or other benefits. In this group, we have change control, automated patching, and testing backup tapes. You probably have a handful of similar controls that come to mind.

Anything in yellow represents “excessive spending” or “you must be out of your mind”. In other words, the amount of resources that you would have to expend to build the control outweigh the benefits that you would get.

But there’s one catch: what we are trying to do in deciding if/how to implement a security control is to make a decision based on cost, benefit, and risk. We have cost and benefit, how do we account for risk?

If you take a look at where the division is between green and yellow, that line represents what we would call “acceptable risk”–it’s a sliding scale along the X-Axis.  Where that tipping point lies depends on the nature of the system, the mission that it supports, and the types of data that it stores, processes, or forwards.

For high-critical systems, you move the line to the right and you actually become more inefficient at the types of security controls that you build–you’re into The Long Tail for all it’s worth.

But for low-criticality systems, all you really have to focus on is the high-payoff activities because your level of acceptable risk is lower.

Now when you’re in a compliance information security management model, what’s happening is somebody is setting that level of acceptable risk for you. I think this is the reason that there is such a backlash on most compliance frameworks. What is low LOE for somebody else might be high LOE for me because of the technology I have in play or due to other externalities, and if you hold me to that pre-determined level of risk acceptance, then I’m back to spending inefficiently.  As a business, I hate it when people tell me to spend inefficiently “for my own good”.

What do I expect you to do with this model? Not much, I ‘m just building on the ideas from Jacquith, Earl Crane, and other people that I know. I just figured it would help somebody explain acceptable risk and compliance in a format that was easier to understand.

• White Professional Male Turned CISSP Seeks Mega-Sized Security Management Model
• In Search of a Better Catalog of Controls
• Ack! With the Mandates!
• When Acceptable Risk is Not Acceptable
• Core Belief #3 — Learn Something from the Cavalry