“Information Security is only as strong as the weakest link in the chain”
The above statement seems to be popular. It appears time to time in blogs, on company websites, in research, in white papers, in conference proceedings alike. It is an absolute statement. The illogical nature of thinking in absolute terms is well known, I don’t need to discuss it here. Neither do I question the validity of the metaphor itself. What I question is its applicability to information security. I also question the thinking and the concept behind it.
The “weakest link” metaphor in information security dates back to the rise of perimeter defence. I try not to be pedantic here and am happy to concede that it might even pre-dates it. I am – to reiterate – not speaking against the validity of the principle of “a chain is as strong as its weakest link”. The point I am anxious to make is that it is not a well-fitting metaphor for information security, even if it is widely used.
The “link concept”
When one follows through the metaphor’s statement to its logical conclusion, it is obvious that once the weakest link is broken, the whole chain is broken. Along the same line, if information security is a chain and it is broken, the whole of information security is broken. However, I believe there are a few logical errors in this conceptual picture.
First of all, it would not be an exaggeration to say that equating “weakest” to “most vulnerable” or even “most exposed” is not necessarily correct in today’s information security environment. The “weakest link” might be at a place where the probability of exploiting such a “link” would not represent commensurate risk with the weakness. Perhaps mitigating the “weakest link” poses a higher cost than the exploitation would, and therefore this weakness or vulnerability can be accepted.
The statement implies still another idea. It describes individual components put together but working independently, instead of a coherent, cohesive system. While this signifies the strength of individual components, it lacks the view of the whole being stronger than individual parts. It actually promotes the opposite. It can be objected that “no security solution is ultimately stronger than its weakest link” is a very arguable statement. The weakest component can stay the weakest without rendering the whole protection weak. Layered defence; trust zone architecture and a few other measures can compensate for a given weakness and can significantly improve the overall strength of information security. They complement each other; they strengthen and enhance each other.
May I also add that false assurance can be created with the chain metaphor. As long as the weakest link is not broken, “we are fine”. This is not necessarily the case even if the “information security chain” is intact. The chain doesn’t need to be broken to go behind or above it.
The alternative
I propose an equally plausible metaphor that I believe serves better than the “weakest link” metaphor. Information security as a high performing machine, such as a Formula 1 car. Yes, it has small parts, yes it has weak parts. Yes, any part of such a machine can be broken. However, having such broken part doesn’t necessarily mean that the car becomes useless or worthless. Of course, performance degradation might occur, but this can be corrected. Engineers, I am told, can even fine tune the engine remotely during the race. For other problems the car might need to go back to the pit stop for a repair. But the car doesn’t just fall apart or disappear if the weakest part is broken.
Along the same line, a component of information security might get broken. This might reduce the effectiveness or the quality of information security, but it doesn’t make it disappear. It doesn’t necessarily mean that there is no protection at all, either. Those broken parts need to be fixed of course, and fixed fast. If it is not “fixable”, compensating controls should be put in place.
This is why I believe the machine metaphor is superior to the chain metaphor. Expressing this idea discourages thinking spasmodically. It encourages thinking in terms of complex, inter-related components rather than individual parts. More granular, more effective solutions can be created in this way. Identified weaknesses can be addressed more timely and cost effectively.
“So what?” – you might ask. – “Does it really matter what mental picture is used as long as it works?” – I believe it does. We do well to remember that metaphors control how we think, which influences what we see, which in turn influences what we say. Indeed I may go this far: communicated ideas with their well understood meaning lead to well implemented action. Thinking about information security as high performing, vibrant machinery instead of a static chain – I submit – would lead to better achieved results.
Why not?