Imagine a networked world for our Navy where the well-publicized benefits of the Navy Marine Corps Intranet (NMCI) allow us access to information anywhere, at any time...faster information searches...faster collaboration...faster, better decisions. A-h-h! Web-surfing nirvana!
As we become more of a "clicks and steel" Navy, increasingly dependent on information, we tend to assume that data integrity is intact and that online systems are always available when we need them. For availability and convenience, Department of Defense (DoD) information resides on the network and within the backbone itself. Many of our goods and services have become online transactions traveling along secure, confidential channels for transferring data up and down the entire online information "supply chain." What a lucrative target for hackers, crackers, potential foes and terrorists!
Now imagine a world where system security breaches force us to dust off manuals, find those paper files...and make important decisions without all the information we need.
"Information Fort" vs. "Information Trading Post"
Because of our growing dependence on information systems and the advent of the NMCI, we are wrestling with the issue of security versus network access.
Whether we are denied access or lose our connectivity because of network attacks, system problems or overly strict security rules, each instance equates to an opportunity cost. This phenomenon is what I'll describe loosely as "knowledge loss"--either the inability to create knowledge or gain efficiency from access to information, or loss from theft of intellectual property. Knowledge loss is hard to measure, but we do know that without access to network information and collaboration, our efficiency, productivity and ability to make sound decisions take a marked dive. We want our networks to be secure, to make them less inviting targets for accessing or disruption by potential adversaries.
A simple comparison illustrates our dichotomy between security and access. Whether a museum curator or a store manager, you face the same kind of tough choice.
Curators are experts on the invaluable artifacts housed in their museums, and they pride themselves in displaying these to a curious public. Still, they must strike a balance between the ongoing need to protect all those valuable artifacts from theft, destruction or damage, and the risk of offering enough access to view the valuables.
Similarly, store managers must allow customers to sample their goods to make sales, so they often use "transparent," static physical security methods to protect goods that incur the greatest risks.
Stores and museums could escalate security measures ad infinitum-- security guards in every room 24x7, tagging all the items, putting sensors on all the doors to detect tags and surveillance cameras to watch all employees and visitors--but at a high cost and at the risk of losing their customers or viewing public.
If their goal is either to achieve perfect security and achieve ubiquitous access, then they could find themselves in a costly and endless loop of failing to achieve either.
Let's explore our goal. Do we want to build an information fort for greater security or an information trading post for greater access? Obviously, the solution falls somewhere in between, but I'll divulge my thesis now: we must start with a predominantly secure solution and work backwards towards transparent access.
At the outset, we need a better way to measure our security risks--or knowledge loss expectancy-- and then balance the benefits we gain from using information with the risks of losing it.
When a risk outweighs a benefit, we try to find a way to reduce the risk without losing the benefit -- much the same way museum curators maximize viewing opportunities even as they install unseen alarms and transparent screens. Thu