No matter how you slice it, security cost money. Sure we can find solutions available that are free, but there is a cost associated with configuring, deploying, maintaining, and monitoring free solutions the same way those cost are there for fee based solutions. However, we tend to forget there is also a cost to the end user. This point was brought home to me in a real way not to long ago when I went to change the brakes on our van.

The Story

I tend to be a do-it-yourselfer with many aspects of my life. Even when I have never done something myself before, I will take up a task I think I am capable of performing. Part of this is driven by my desire to save money, but a bigger part of it comes down to challenging myself and the satisfaction I get from completing something most people don’t want to do. So recently, our van needed new brakes in the front. I have changed the brakes on my car several times over the years, so changing them on our van should be no big deal. Our van has alloy wheels, which cost more and so are more likely to be stolen than your standard rims. Thus the car company placed an added security feature of a locking wheel nut on each tire to prevent the theft.

As I was loosening the front passenger wheel the tire iron gave way and both the lock and the key shattered. I stood there shocked for a minute, and then went inside to look up how to fix this issue. My family knew something was amiss when I came in the house and darted off to the computer. A quick search revealed two answers, either take it to a mechanic who can break it off or purchase a non-key socket that can fit tightly over the broken nut in hopes of turning it. Not wanting to scratch the daylights out of the rim, I called a mechanic I normally use who told me the cost of the repair would be about $15 per tire, although it could be more based on amount of time it took. The problem they noted is that without the key I couldn’t get the remaining wheels off and noted I needed to find a new key or have them break all four off. I called the dealership where I got the car to see how much a replacement key was at the same time I was finding the order form from the manufacturer of the key/lock. Needless to say the dealership was going to charge me 4-5 times as much as directly from the manufacturer so I went the direct route.

After getting the new key two days later I took the car in and sure enough the mechanic got the nut off in under 15 minutes and had a new non-locking nut installed. All for a minimal cost, compared to what it could have been. I got the car back home, changed the brakes myself, and didn’t shatter any more parts in the process.

So What?

This whole ordeal got me thinking. There is obviously a concern when you put higher value parts on a car they will get stolen. So the car manufacturer looks at the potential of loss and says “Hey we can protect the value at the fraction of the cost to replace the part.” When buying a new car you are thinking “why wouldn’t I want to protect my investment,” and so you keep the security feature enabled (by default). The cost clearly outweighs the potential loss, or does it?

In my case, the car was in my garage and still drive-able despite the failure of the security feature. Sure my breaks were a little squeaky for a few extra days, but the car still had four tires and enough brakes to stop it for the time being. Consider a different scenario; however, one where some who has little experience changing a tire is driving down a road, away from home on trip even, and is no where near a place to get the car repaired. Either they hit something or the tire is just fatigued and blows out. The person pulls over and sets about to put the spare tire on when “CRACK” the lock and key shatter. Even if the situation is such that the driver calls someone to tow or change the tire for them and the person fixing the tire shatters the lock. You suddenly find yourself at the mercy of those who can fix the problem, and sometimes that means you get charged more than is reasonable because of the situation. In addition, you don’t know if another tire will blow out on your travels and may elect to remove the security from all tires just to play it safe.

The point being, given the best case scenario for failure of security measures, there is still a potential for panic. Given the worst case scenario; however, the reaction can be down right irrational. I look back at my situation and realize the cost to “fix” the security and maintain it going forward knowing there could be another catastrophic failure far outweighed the actual cost of what it was protecting. As security professionals, we often look at what we are protecting and only think about the risk of loss and what loss will cost. What we don’t always figure in to the equation is the impact (cost) the secure measures impose on end users. How often do we consider the cost when a security measure catastrophically fails on our end users? Perhaps stepping back and looking beyond just the need to secure something can helps us make better decisions on how to implement security.

In the end our goal as a security professional should be to ensure our organizations, understand risk they are facing, the best approach to minimizing those risks, and still deliver a highly valued service or product to the customer. My faith in the security measures placed on protecting the rims of a car has been shaken and I don’t know that I would choose to have the security implemented again. We can’t keep allowing security to be marginalized or dismissed because we don’t consider the risk our solutions potentially create and the subsequent added cost.