Management Laboratory

Management Laboratory

Leadership Lab: Management Competencies

Other Related Articles in Leadership Lab: Management Competencies


Applying the Pareto Principle to Information Security Management


Charlie Scott

Applying the Pareto Principle to Information Security Management

Introduction

The Pareto Principle, also known as the 80/20 Rule, is a popular method of narrowing in on issues that affect process performance and quality control. It is attributed to the work of Italian economist Vilfredo Pareto, who observed in the early 20th Century that 80% of the wealth in his country was owned by 20% of the population. It has been generalized to mean that approximately 80% of any given effect can be attributed to approximately 20% of the possible causes (the “vital few” in Pareto’s terminology). Conversely, the remaining 80% of causes (the “trivial many”) account for only 20% of the effects. The Pareto Principle has since been applied to process improvement, software development, time management, and any number of other practices.

This paper explores how information security managers can use the Pareto Principle to their benefit.

Applying the Pareto Principle to Incident Statistics

The Pareto Principle works best when you apply it to a large sample of data. A good information security manager will keep track of incident data within their organization. When applying the principle, it is important to have a large enough sample size across a large swath of time in order to provide you with useful results. To make the Pareto chart more manageable, it is best to reduce incidents to their major classes, rather than get too granular. Consider, for example, using policy violations as a data set. Table 1 shows the various policy incident classifications, the count of each over the course of a year, the percentage that count represents of the total, and the cumulative percentage.

Table 1
Classification Count % of Total Cumulative %
Sensitive Information Leakage 120 36.25% 36.25%
E-mail Abuse (incl. spam) 80 24.17% 60.42%
Forgery | Fraud | Theft 54 16.31% 76.74%
Commercial Usage of Resources (not spam) 26 7.85% 84.59%
Sharing Accounts 21 6.34% 90.94%
Threats or Harassment 11 3.32% 94.26%
Copyright Infringement 8 2.42% 96.68%
Excess Bandwidth (P2P / Streaming) 8 2.42% 99.09%
Hacking 3 0.91% 100.00%


Chart 1 is a Pareto chart representation of Table 1. It visually compares each classification to the other in terms of percentage of total and highlights where the 80% of the violations are coming from.

Chart 1

chart 1

From this table and chart, it becomes apparent that slightly over 80% of the policy-related incidents come from just four violation classes:
  • Sensitive Information Leakage (e.g. e-mailing unencrypted social security or credit card numbers).
  • E-Mail Abuse (e.g. commercial and non-commercial spam).
  • Forgery/Fraud/Theft (e.g. guessing another user’s password and logging in as that user).
  • Commercial Usage of Resources (e.g. using company e-mail for a side business).
What does this tell an information security manager? Most organizations have very little time and money set aside for security training. Using a Pareto chart in this way can help direct these limited training resources in order to make the largest impact. In the example, it illustrates that users need to be better educated about the consequences of those four violation classes, and that technical controls should possibly be implemented to prevent the violations from occurring.

This is just one example of how to apply the Pareto Principle. Other examples include applying it to users (x% of users are responsible for y% of incidents), malware (x% of infections are caused by y% of seen malware), systems (x% of breaches occur on y% of the systems), etc.

Re-Apply the Principle at Regular Intervals

After implementing changes based on Pareto findings, it is important to re-apply the principle after a period of time to see if the changes have taken effect. Even if changes are not implemented, there is always the possibility that the data will change over time: new threats emerge, new systems come online, and the pool of employees shifts.

In the policy violation example, the data should be analyzed again after the training and technical controls have been in place for a year to see if the common violations have dropped. If they have, then the distribution of violation classes will have changed, and new areas will emerge to focus the budget on in the following year.

Pareto is a Rule of Thumb, Not Dogma

Although the Pareto Principle may seem like voodoo in the way it applies to almost any situation, it is important to remember that it is not law, but a decent rule of thumb. There is nothing magical about 80/20 and many people use 70/30 or 90/10 to perform the same function. Pareto is simply a relatively easy tool to help focus on what is really important when faced with a large quantity of information.

Avoid Becoming “Pareto-Blinded”

Of course, the risk of focusing exclusively on the “vital few” is that something might be missed in the “trivial many” that turns out to be not so trivial after all. While Pareto charting works well for quantity, it does not allow importance, weight, or risk to be assigned. In the policy violation incident example, hacking (in this case by insiders) barely makes it onto the chart and accounts for less than one-percent of incidents over the course of the year. However, if the hacking incidents were cases of industrial espionage and exposing trade secrets, then the cost to the organization could well exceed all the other violations combined.

One way to avoid falling into this trap is to approach the data from several different angles. For instance, if an organization has estimates on how much policy violation costs the organization, then looking at the data this way can reveal how much additional weight they should ascribe to each classification.

Another method of avoiding Pareto blinders is to occasionally think like someone intent on doing harm. Perhaps the hacking incidents are low, not because there are only a few employees doing it, but because those that do hack realize that they are violating policy and take measure to avoid getting caught. Regular assessments, especially unannounced ones conducted by a group of outsiders, or “Red Team,” can help discover where these threats exist, the potential damage they can cause, and how to defend against them.

Conclusion

Information security managers are confronted with an increasingly large and complex body of information in their jobs. The Pareto Principle is one tool they can use to determine where to focus their limited resources. However, it is only effective if applied regularly and while acknowledging that it is possible severe threats can fall outside of its net.


References

Clark, Donald. Leadership and Management Competencies, SANS Institute, 2006.
Kabay, M. E. “Information Security on a Budget: Where to Invest First?” 2003. From the author’s web site: http://www.mekabay.com/infosecmgmt/index.htm. Retrieved on January 23, 2010.
Paes de Barros, Augusto Q. “Pareto is killing security.” Security Balance web site. http://www.securitybalance.com/2009/01/pareto-is-killing-security/. Retrieved on January 23, 2010.
Petkov, Petko D. “Pareto Principle in the Information Security Industry.” GNUCITIZEN web site. http://www.gnucitizen.org/blog/pareto-principle-in-the-informtion-security-industry/. Retrieved on January 23, 2010.
Tracy, Brian. Eat that Frog! 2nd Edition, Berrett-Koehler Publishers, 2007.