Measuring the security ‘smarts’ of the TSA

Security Spending.jpg

Daniel Geer and Bob Blakely recently published a security metrics paper asking the question "Are you smarter than the TSA? (Hint: No)".  The paper takes a position the value (aka 'smarts') of the TSA is based upon the investment they commit per passenger and does a comparison to attackers and security programs in large enterprises.  Using ballpark figures, they estimate TSA spends about $10 per passenger boarding, while other security programs spend only pennies per customer. 

The paper can be found here. 

Daniel Geer is one of the most well respected security metrics expert in the industry.  But I just can't follow this line of analysis...

I think it is dangerous to distill the value of security based only upon the expenditure.  Although an obvious relationship exists between security spending and controlling loss, I doubt it is linear.  Increasing the TSA budget by 300% to $24B will not equate to 3x the level of security people feel or benefit from when boarding a plane.  Will 3x more terrorists be caught or hijackings will be reduced to 1/3 current levels?  Doubtful.  Spending more does not mean security will improve at the same rate.

The attackers likely don't see it as an economic problem either.  Cost may be a limitation, establishing boundaries on what attacks can be attempted.  But I have not seen any evidence attackers make strategic decisions based upon a ratio of spending-to-attacker or target.  If anything, I suspect they evaluate the spending in relation to the likely return.  In my humble opinion, this probably holds true for financial, political, and even social attacks.

I would rather see this turn into a return-on-investment analysis, rather than a comparison on who is willing to spend more.

The question in the paper asks "Are you smarter than the TSA?".  I would judge any organization which can achieve and manage to the same or better level of risk (risk of loss) in a similar environment, while spending less, as being "smarter than the TSA". 

Related Blogs:

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.