The Broken Windows Economics of IT Security

To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.

Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?

Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat

The majority of economists, however, would say that it is a fallacy to believe that the broken window generates economic good, as it forces the shopkeeper to expend resources to fix something that wasn’t broken and functioned perfectly well before small boys began playing baseball in front of the shop. Paying for repairs reduces his/her business’ ability to spend money on more rewarding alternatives—financing inventory, expanding the shop, etc.

But if, by way of deduction, you conclude, as happens only too often, that it is good to break windows, that it helps to circulate money, that it results in encouraging industry in general, I am obliged to cry out: That will never do! Your theory stops at what is seen. It does not take account of what is not seen.

It is not seen that, since our citizen has spent six francs for one thing, he will not be able to spend them for another. It is not seen that if he had not had a windowpane to replace, he would have replaced, for example, his worn-out shoes or added another book to his library. In brief, he would have put his six francs to some use or other for which he will not now have them.

Society loses the value of objects unnecessarily destroyed, and at this aphorism, which will make the hair of the protectionists stand on end: “To break, to destroy, to dissipate is not to encourage national employment,” or more briefly: “Destruction is not profitable.”
IT security has evolved into a classic broken windows business. It exists to repair things that shouldn’t break in the first place. Furthermore, every dollar that a business spends on Security subtracts a dollar from expenditure on more worthwhile alternatives—product innovation, improved public services, higher salaries, dividends to investors, etc.

Every so often someone gets up and claims that good IT security pays for itself. Nonsense. Every CEO, CIO, and CFO I have ever met resents every dollar they have to spend to protect themselves from the oversights of system architects, software developers, and product designers. They know that IT security is a wound that never heals, and that while they need to be lucky all the time, a hacker needs only to be lucky once to do serious damage to business processes, balance sheet assets, and/or marketplace reputation.

Realistically, IT security is going to remain a significant budget item as far as the eye can see.  But I believe two types of security solution vendors have emerged. While they still make up a majority, Type A vendors sell paranoia. They harp endlessly on the mortal threats of thumb drives, social media sites, and satanic plots spawned by hackers of disparaged nations and ethnicities. Shattered windows are their business and they love the sound of breaking glass. Established type A security vendors simply have too much to lose by helping their customers eliminate or reduce the potential for broken windows events and thereby enabling companies to reduce their IT security budgets.

Type B vendors recognize the market opportunity to help customers reduce the cost and complexity of IT security. Make no mistake. Profit motivates Type B vendors every bit as much as Type A counterparts. It’s just that they mix some enlightenment with their self-interest. Type B vendors are the ones advocating ways to efficiently minimize target surfaces, radically change their security programs, and perform mundane but necessary system management processes as thoroughly and friction-free as possible.

While generalizations are slippery, such vendors will always be in the minority and tend to be the innovative upstarts of the industry. They are not part of the PCI collective, they find it difficult to swim against the rising tide of broken glass marketing, they offer viable alternatives to the current <glass breaks – repair glass – add more glass – glass breaks – repeat> cycle the IT security industry has created.

As I write, the RSA Conference is getting ready to open soon in San Francisco. Hundreds of vendors will convene to spend millions of dollars to convince public and private sector managers to continue to spend billions of dollars on various IT security widgets, left-handed monkey wrenches, and foo foo dust. They will do their best to drown out voices that say it doesn’t have to be this way that there are viable alternatives to the never-ending IT security hamster wheel of pain. What a waste.


20 thoughts on “The Broken Windows Economics of IT Security

  1. Yep, security as a business enabler – a remarkably clear concept, and yet still ignored to this very day. The problem is that people are drawn to FUD like moths to a flame. Moreover, we also have to mitigate geeks’ shiny object syndrome, and that saying “fewer tools, smarter work” will mean less shiny objects. I’ve been pushing forward this message for 10 years now and only in the last couple years have started to see people actually starting to grok this message.

    Of course, the best part here is the conspiratorial fraud angle. The same argument has been used with equipping police with higher powered weapons. Escalation principles and all that. It’s somewhat of a catch-22… would you rather your criminals be more or less evolved, proportional to the evolution of your defenses? No clear answer there…

    • Hey Ben

      Ah yes the old ‘Security as a business enbaler’ position. I have used this myself to describe conditions where based on certain security controls the business was able to take advantage of certain conditions that benefit the bottom line. Examples would include support for remote, mobile, or telecommuting workforces, rapid integration of disparate infrastructures during a M&A event, expansion into hostile markets with higher levels of confidence in the integrity of the companies assets, etc…this is a really hard argument to prove and again it only occurs because people are out there breaking windows because sans security all of these conditions can be met and that is part of the dilemma of the conversation with the executives.

  2. Join the chorus… I’m working hard on only buying from Type B vendors while I work hard on putting myself out of business.

    Thanks for taking the time to write the Type A and Type B descriptions, I’m totally stealing them.

  3. This whole post focuses on the cost of security.

    It completely ignores the benefits of the technology that must be secured.

    Yes security costs, but it is a cost that should be subtracted from the productivity benefits.

    You want to eliminate the cost of IT security? Simple, eliminate IT.

    What Amrit is proposing is all the benefits of IT but with none of the costs.

    I’m not trying to argue that security adds value. It does not.

    Rather, security is a cost of technology just like electricity, capital and labor.

    Security is thought of as distinct from the technology because security has traditionally been an afterthought.

    • Hey BJ,

      Of course my post doesn’t talk about the benefit of technology, that isn’t what the post is about, this is a post about the cost of security. I think it is a given that technology provides amazing benefits that has radically transformed every aspect of our lives over the past several decades. But I fail to see your point that security and technology are mutually exclusive. I am focusing on a single cost factor and that is security. There are obviously many others, for example I could have dragged out the whole “opportunity cost” or “free market” and its impact on innovation, but again not the point of the post.

  4. Hey Amritw,

    You wrote a couple things that suggest the spending as a requirement, rather than something that requires explicit justification through business plans or proposals. In particular, when you said, “Every CEO, CIO, and CFO I have ever met resents every dollar they have to spend,” and “Realistically, IT security is going to remain a significant budget item as far as the eye can see.”

    Based on your posting I infer that that the security spending you see is more like buying insurance than it is ROI-based.

    What’s your take? Is that an accurate read?

  5. Thanks for the posts, James and Ben. I see the same thing with our customers during their purchase cycles, but I guess I was tempted by the holy grail possibility that someone had seen tangible (and more importantly, practical) ROI justification in practice for security implementations.

      • I don’t, that’s why I had originally asked you =D

        My experience with ROI is that it’s the white whale you wrote about (

        I’ve found that ROI models are either too simple and make ridiculous claims based on small inputs of data (e.g. you’ll save hundreds of thousands of dollars just by doing xyz), or they are too complex to be practical, so no one uses them.

        That being the case, the last time I put together an ROI model I worked with a 3rd party firm that specializes in ROI. We aimed for the sweet spot right between the simple and complex I mentioned above. The results of our calculator looked promising. But then we reality hit. Only a few of the sales reps and customers used it. ROI wasn’t driving the purchases as much as other factors did. Factors that were less tangible, but very real, what Ben calls “business self-preservation.”

        So, I’m ignorantly optimistic enough to continue looking, but as of now I subscribe to the same thoughts you, James and Ben have shared here.

  6. Pingback: Why We Pay Attention To Amrit Williams – Broken Windows ECON 101

  7. Pingback: Ethics versus economics for security research | Threat Thoughts

  8. All developers take pride in their code and almost all of them think that their code will be unbreakable. A code review services such as this , can reveal that its weong to assume so. Code review service should be part of product development life cycle

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s