Beckstrom's Law

Created by Rod Beckstrom (currently of ICANN, formerly of the National Cyber Security Center), Beckstrom's Law facilitates the analysis of network security in cost-benefit terms.

Beckstrom's Law can be expressed with varying degrees of mathematical complexity, depending how detailed a calculation is required to address the question at hand. In its crudest form, Beckstrom's Law starts with this observation about the value of a network:

where V is value, B is benefit, and C is cost. This formula derives from a slightly more complex form, based on these summations:

The summation formula follows from Beckstrom's observation that the value of a network derives from the sum of discrete transactions conducted on the network by individual users. In the formula above, the subscript i refers to one user and the subscript j refers to one network. Earlier generalizations about the value of networks (for example, Metcalfe's Law), suggested that networks only grow more valuable as they become larger. Beckstrom observed that not all network transactions are valuable to all users, and that at some point the cost of a marginal network connection exceeds its benefit. This effect can clearly be seen for such network nuisances as spam or unwanted social networking "friend" requests; the effect is even more evident in the case of international security threat vectors. Can anyone say that improved network connectivity to larger numbers of offshore hackers provides any sort of economic benefit?

Following classical economic ideas such as marginal analysis and the law of diminishing returns, Beckstrom notes that some volume of network transactions will provide increasing total value. But at some point, the cost of an additional network connection outweighs its benefit. To maximize value, network should grow in size as long as the following inequality holds true:

But networks have grown beyond their most desirable size when the marginal cost of the next connection exceeds its benefit, resulting in this expression:

The fullest mathematical expression of this line of reasoning occurs in formulas such as this one:

New information in this version are the indices k and m (for individual transactions) and the expression in the denominator, which is the well-known formula for the time value of money. This formula is mostly interesting for very granular types of financial analysis. For security analysis, the simpler versions of Beckstrom's Law above provide a more useful jumping off point. Returning to the topmost formula, a slight modification offers a pertinent observation about economic trade-offs for IT security.

This time, the basic idea of V = B - C has been expanded to include two new terms: SI and L. In this formula, C' now refers to all non-security related network deployment costs. SI encompasses security investment. L represents a financial estimate of expected loss, based on risk analysis. To maximize profit, the terms V and B should be increased to maximum levels. The other three terms should all be minimized. However, note that SI and L tend to vary inversely with one another. To decrease loss, one generally needs to increase security investment. Likewise, cost cutting with respect to security investment, should, ceteris paribus, increase expected loss.

This final formulation, then, suggests useful considerations for security strategy. Does any given security investment provide sufficient loss reduction to justify its expense? Conversely, does the net effect of security budget cuts or downsizing (inclusive of higher expected loss), truly improve financial results?

References:

http://valuenetworks.com/public/blog/230074

http://www.beckstrom.com/Beckstrom's_Law