What is an “effective” Control?

One of the many sources of information security news and advice that I subscribe to is the SecurityMetrics mailing list. Last week, Wade Baker of Verizon Business Security Solutions summarized when security controls can be considered effective, efficient, or optimal.
If it does what it’s supposed to, to the degree it’s supposed to, it’s effective (no matter how much risk, or what % of attacks, etc it reduces). If it does that for a cost that is low relative to its effectiveness, it’s efficient. At the point where the cost of increasing effectiveness exceeds the incremental benefit of doing so, it’s optimal. - Wade Baker, Verizon Business Security Solutions
Src: Verizon Business Security Blog » Blog Archive » What is an “effective” Control?

No comments: