Security Lessons from Nature – Units of Measurement

One thing that was hammered into me as I pursued my Physics degree was the importance of specifying units in my answers. Unlike my fellow students who chose to study Math, those of us in Physics actually had work that meant something. ;) At the time, I thought that my teachers were just being annoying, as it was pretty obvious what the units were.

Well, as it turns out, the reason that units matter in Physics is because it helps to build physical intuition. Since all answers match (at least, theoretically) reality, you can do a quick check against the answer at the end and make sure it makes sense (well, usually).

However, the reason that this works at all is because we defined all the units a long time ago. The International System of Units (which, for some stupid reason involving non-English languages, we abbreviate as “SI”), defines a unit for everything we have to measure and does so in such a way that it is standardized throughout the world.

• The meter measures length, and is defined as the length of the path travelled by light in vacuum during a time interval of 1/299 792 458 of a second
• The second measures time and is the duration of 9 192 631 770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium 133 atom.
• The kelvin measures temperature and is the fraction 1/273.16 of the thermodynamic temperature of the triple point of water.
• The candela measures luminous intensity, in a given direction, of a source that emits monochromatic radiation of frequency 540 x 1012 hertz and that has a radiant intensity in that direction of 1/683 watt per steradian.

Now, sure, for historical reasons, we have had to fix the values of the units to some pretty arbitrary numbers.  However, whenever someone says that something is a second long, everyone knows exactly what they mean (unless it’s a justasecond, which quite a bit longer).  That is the advantage of scientific consensus.

Which, of course, makes certain aspects of business difficult. Test of Time Design recently pointed out the problems with comparing yourself to your competition. Really though, the problem compounds when your competition starts comparing themselves to you too. That way, you build a vicious cycle of measurement and are soon making decisions based on metrics that are drifting further and further from reality.

I think that we tend to fall into the trap of measuring the easy things instead of the things that really matter. For example, there are many retail establishments that measure their progress against last year’s performance. What does that really measure? After all, you’re measuring in dollars, and the value of a dollar changes over time. If you base your business decisions on a constantly-changing unit, you have no idea if the changes you are making matter.

We see this problem in the security field as well. Many of us bemoan the lack of decent security metrics. Really, what we want to measure is how much we’re protecting the organization. However, it’s clear that the right way to measure that would be to wait until your company gets breached, figure out what it cost, travel back in time, put up defenses. Then you simply measure the cost of the breach and the cost of the defense, a little subtraction, and you know exactly what your solution is worth.

Alas, time travel can be tricky. So, we have to resort to other methods. There are communities doing some very interesting work in this subject. There are formal methods that are used in enterprises.  However, those models tend to take time to work through… often time that the small business doesn’t have in the first place.  Luckily, there’s another option.

Just fall back to physical intuition. Even if you can’t make a precise measurement of the weight of a brick, you can know that it’s going to hurt like hell when one hundred of them land on you. Similarly, you don’t need to know exactly what it will save you to deploy a security technology. You just need to look at the cost of the technology and ask yourself “if something bad happened, what would that cost me and how likely is it to happen?” Will this model work for a large enterprise where security solutions cost hundreds of thousands of dollars and can take up to a year to implement? Of course not. However, for small and medium sized business, most common security solutions are inexpensive enough that a rough intuitive calculation will probably do just fine.