Pareto Principle In The Informtion Security Industry

Over the weekend I had time to read some great books on economics and as such and I've become more aware of a phenomenon known as the Pareto Principle or the 80/20 rule.

Vilfredo Pareto was an Italian economist who was living and working during the 19th century. During his career he had discovered a law of nature which was later known as the 80/20 rule. The rule simply states that for many events, 80% of the effects come from 20% of the causes. This phenomenon was first observed by the economists and it was specifically applied to their field of study but today it can be easily applied to other areas of life.

The Pareto Law is among several other so-called "laws of nature", such as "the long tail", which I will talk about some other time. These laws are very simplistic by nature and we can often doubt their accuracy but they seem to be good tools to explain things in our lives which cannot be explained easily.

I am particularly interested in the information security field and I have a great passion for everything that is related to the hacker-culture and I feel that we can explain a lot of our doubts and uncertainties that we have regarding the security landscape by using the 80/20 rule. For example, if we take for granted the accuracy of the Pareto Principle, we can say that 80% of all breakins are due to 20% of known vulnerabilities. Such a statement is definitely be very valuable for many of us.

Indeed, from the prospective of modern economics, the Pareto Principle, perhaps a magical formula developed by a secret society of alchemists-wizards, seems to describe many phenomenons, although the ratio may not seem just so equal. By studying several other books, I found that the Pareto principle is often seen as 90 to 10 ratio or even 70 to 10 which does not add up to 100. This is an entirely different field worth our investigation.

I will leave the fun of investigating the wonderful applications of the Pareto Principle and its sub-culture and I will concentrate on several statements regarding the information security field which fit its characteristic:

The list can go on and on...