Click here to receive your FREE subscription to Campus Technology

Home > The Case for Identity Management

Opinion

The Case for Identity Management

8/28/2006

CSI) and the Federal Bureau of Investigation found that a significant number of organizations conduct some form of economic evaluation of their security expenditures. (The full text of the survey can be found here.)

The most popular metric is a percent of revenue. For example, the CSI/FBI survey found that 48 percent of responding organizations devoted between 1 and 5 percent of the total IT budget to security. Other common metrics are expenditure per employee or per user. The advantage of these metrics is that they are relatively simple to explain to management. The problem is that averages can be misleading and can mask wild variations in the samples. As someone who has used IT expenditures as a percent of institutional budget as a rationale for increasing the IT budget, I have reluctantly concluded that these simple metrics have limited effectiveness and should be used with caution, if at all.

More complex metrics have been proposed. A recent national security publication proposed a “value protection” metric based upon an algebraic formula. Upon closer inspection, however, the methodology is circular. The user is asked to specify a desired “value protection level” based upon a poorly defined and fuzzy explanation of the metric. The formula is then used to generate the cost of meeting the metric. Unfortunately, the resulting investment cost is derived directly from the formula – independently of what it may actually cost to provide the service in the real world. This particular metric can work (sometimes) because senior executives do not always fully understand statistics, what they mean, how they are derived, and what assumptions were made in their preparation. The metric is still balderdash, and if exposed, will undermine the credibility of the IT organization using it.

A Workable Strategy

What I suggest to clients is an honest assessment of the probability and costs associated with various security risks, solid research on the costs to mitigate those risks, and a common-sense decision-making process. The goal should be adequate security – much like Ralph’s Pretty Good Grocery in Garrison Keillor’s Lake Wobegon, where you can get what you need but not necessarily everything you want. Most people routinely make decisions in their everyday lives based upon this common sense process.

Years ago, as a rock climber and new father, I took out a large life insurance policy because the risk was high and the cost of mitigating the risk relatively low (at the time, insurance companies didn’t yet include rock climbing on their list of dangerous activities). I didn’t base that decision on a formula or a spreadsheet, but rather on a clear, common-sense measurement of the risks, and the costs associated with mitigating those risks. The same process is key to assessing security risks and their potential costs to your institution.



Recommended Reading
  • Getting the Money Right

    A clear sign that online and distance learning is maturing is that we are struggling with how to organize and fund these programs on an ongoing basis.

  • Technology and Campus Services

    Can auxiliary services be mission-critical? You bet they can. With tuition on the rise, Auxiliary Services departments at a variety of colleges and universities are proving that they can innovate and still save their parent institutions cash.

  • Ad It Up

    Commercials on television tend to enrage me and laugh tracks are guaranteed to give me a headache. Plus, where do people find the time to watch TV?

  • What Is the Purpose of an Electronic Portfolio? Is the Answer the Key to Your Successful Implementation?

    Among many themes, Margaret Price explores the theme of purpose in her Viewpoint. One purpose of ePortfolio is to reflect on change from a beginning to a later point in time. In a future Viewpoint, Margaret will return to the SpEl.Folio and we’ll see how her thinking and her project have evolved.

  • Making Faculty Smarter about Smart Technology

    If you’re not also enabling the ‘why’ or ‘what’ behind the tech tools you give your faculty, you’re not enabling effective use of those tools.

  • Smashing the Shackles of Intentionally Dysfunctional Technology

    Until last week, it hadn’t "clicked" inside my head that the Library of Congress could or would make specific exemptions to copyright laws.

Related Articles

send e-mail link to articleEmail this article

print this articlePrintable Format