The Long Tail and Security Posture

Posted June 26th, 2007 by

If you haven’t heard of The Long Tail by now, you’re either not a student of Web x.0, only read the mainstream mass media, or you live under a rock. Or all 3. I was going to do some “esspraining”, but wikipedia does it way better than I can.

Here, this is the picture from Wikipedia:

The Long Tail, Picture by Hay Kranen/PD

In this picture, the part in green represents the high-demand, high-sales products/services and the yellow represents “The Long Tail” or low-demand, low-sales products/services that actually constitute the majority of sales. So in other words, if you’re a Netflix, you rent more movies simply by having all the obscure titles that a brick-and-mortar video store can’t afford the shelf space for.

This concept has also been used to explain blogs, where blogs represent The Long Tail and are free to talk about the niche subjects that the mainstream mass media ignores because the mainstreamers are constrained by time and applicability to their readership.

As with just about everything I write, by now you’re thinking “What does this have to do with information security?” Yes, I hear this quite a bit, so don’t be worried if it’s not immediately transparent.

Imagine the same drawring with “Level of Effort” (LOE) as the X-Axis and “Return on Investment” (ROI) (what I really want to say is “payoff” but I’m trying to be pseudo-scientific, so humor me) as the Y-Axis. It would look something like this:

The Long Tail as Risk Management

Anything that is green represents “high-payoff activities” or “common sense security”–the easy controls that provide a high level of security or other benefits. In this group, we have change control, automated patching, and testing backup tapes. You probably have a handful of similar controls that come to mind.

Anything in yellow represents “excessive spending” or “you must be out of your mind”. In other words, the amount of resources that you would have to expend to build the control outweigh the benefits that you would get.

But there’s one catch: what we are trying to do in deciding if/how to implement a security control is to make a decision based on cost, benefit, and risk. We have cost and benefit, how do we account for risk?

If you take a look at where the division is between green and yellow, that line represents what we would call “acceptable risk”–it’s a sliding scale along the X-Axis.  Where that tipping point lies depends on the nature of the system, the mission that it supports, and the types of data that it stores, processes, or forwards.

For high-critical systems, you move the line to the right and you actually become more inefficient at the types of security controls that you build–you’re into The Long Tail for all it’s worth.

But for low-criticality systems, all you really have to focus on is the high-payoff activities because your level of acceptable risk is lower.

Now when you’re in a compliance information security management model, what’s happening is somebody is setting that level of acceptable risk for you. I think this is the reason that there is such a backlash on most compliance frameworks. What is low LOE for somebody else might be high LOE for me because of the technology I have in play or due to other externalities, and if you hold me to that pre-determined level of risk acceptance, then I’m back to spending inefficiently.  As a business, I hate it when people tell me to spend inefficiently “for my own good”.

What do I expect you to do with this model? Not much, I ‘m just building on the ideas from Jacquith, Earl Crane, and other people that I know. I just figured it would help somebody explain acceptable risk and compliance in a format that was easier to understand.

Similar Posts:

Posted in Risk Management | 5 Comments »

5 Responses

  1.  Saso Says:

    Et tu, Mikaele?

    And there I was going on a rant against using ROI to justify security spending. Security work is by default the long tail. There is no immediate payback.

    Rather than ROI, you should look at long term profitability or loss prevention. Just not ROI, please.

    My rant:

  2.  rybolov Says:

    Ah, ROI is not just dollars in my clouded little mind, and I do agree with you in that ROI is an abused term and I have abused it heavily here. I still like the concept of the Pareto distribution, though.

    Would “benefit” work better here for you? How about “Karmic Return on Energy Invested?” =)

  3.  Saso Says:

    Yes, benefit would be much better. It’s a slightly less abused term and doesn’t have the “immediate and measurable financial return” connotation that ROI has. Benefit me likes.

    Great article, by the way.

  4.  Internet and The Long Tail | Risking it ... Says:

    […] a while. Thanks to Chris Anderson’s book, we all know it works, and works really well. It was Guerilla CISO that brought it up first, but then ruined it by also including ROI on Security. Let’s not go […]

  5.  ispeakformyself Says:

    there is a good article based on Burton’s research on “the long tail of risk & dynamics of security market” –,289142,sid14_gci1266218,00.html

    my rants n ravings at –

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: