Pareto Principle In The Informtion Security Industry
Over the weekend I had time to read some great books on economics and as such and I've become more aware of a phenomenon known as the Pareto Principle or the 80/20 rule.
Vilfredo Pareto was an Italian economist who was living and working during the 19th century. During his career he had discovered a law of nature which was later known as the 80/20 rule. The rule simply states that for many events, 80% of the effects come from 20% of the causes. This phenomenon was first observed by the economists and it was specifically applied to their field of study but today it can be easily applied to other areas of life.
The Pareto Law is among several other so-called "laws of nature", such as "the long tail", which I will talk about some other time. These laws are very simplistic by nature and we can often doubt their accuracy but they seem to be good tools to explain things in our lives which cannot be explained easily.
I am particularly interested in the information security field and I have a great passion for everything that is related to the hacker-culture and I feel that we can explain a lot of our doubts and uncertainties that we have regarding the security landscape by using the 80/20 rule. For example, if we take for granted the accuracy of the Pareto Principle, we can say that 80% of all breakins are due to 20% of known vulnerabilities. Such a statement is definitely be very valuable for many of us.
Indeed, from the prospective of modern economics, the Pareto Principle, perhaps a magical formula developed by a secret society of alchemists-wizards, seems to describe many phenomenons, although the ratio may not seem just so equal. By studying several other books, I found that the Pareto principle is often seen as 90 to 10 ratio or even 70 to 10 which does not add up to 100. This is an entirely different field worth our investigation.
I will leave the fun of investigating the wonderful applications of the Pareto Principle and its sub-culture and I will concentrate on several statements regarding the information security field which fit its characteristic:
- 80% of breakins are due to 20% of known vulnerabilities.
- 70% of breakins are due to internal attacks - I suspect you are familiar with this rule... it just so happens that it fits here as well.
- 80% of discovered vulnerabilities are due to 20% of the available research.
- 20% of blackhat hackers are responsible for 80% of all hacks.
- 20% of all countries are responsible for 80% of cybercrime - perhaps we can block them :).
- 5% of emails to full-disclosure contribute to 80% of the value of the mailing list - this is entierely based on my own observations.
- 80% of viral attacks are due to 20% of virus coders.
The list can go on and on...