Pareto Principle In The Informtion Security Industry

Mon, 28 Jul 2008 13:26:13 GMT
by pdp

Over the weekend I had time to read some great books on economics and as such and I've become more aware of a phenomenon known as the Pareto Principle or the 80/20 rule.

Vilfredo Pareto was an Italian economist who was living and working during the 19th century. During his career he had discovered a law of nature which was later known as the 80/20 rule. The rule simply states that for many events, 80% of the effects come from 20% of the causes. This phenomenon was first observed by the economists and it was specifically applied to their field of study but today it can be easily applied to other areas of life.

The Pareto Law is among several other so-called "laws of nature", such as "the long tail", which I will talk about some other time. These laws are very simplistic by nature and we can often doubt their accuracy but they seem to be good tools to explain things in our lives which cannot be explained easily.

I am particularly interested in the information security field and I have a great passion for everything that is related to the hacker-culture and I feel that we can explain a lot of our doubts and uncertainties that we have regarding the security landscape by using the 80/20 rule. For example, if we take for granted the accuracy of the Pareto Principle, we can say that 80% of all breakins are due to 20% of known vulnerabilities. Such a statement is definitely be very valuable for many of us.

Indeed, from the prospective of modern economics, the Pareto Principle, perhaps a magical formula developed by a secret society of alchemists-wizards, seems to describe many phenomenons, although the ratio may not seem just so equal. By studying several other books, I found that the Pareto principle is often seen as 90 to 10 ratio or even 70 to 10 which does not add up to 100. This is an entirely different field worth our investigation.

I will leave the fun of investigating the wonderful applications of the Pareto Principle and its sub-culture and I will concentrate on several statements regarding the information security field which fit its characteristic:

  • 80% of breakins are due to 20% of known vulnerabilities.
  • 70% of breakins are due to internal attacks - I suspect you are familiar with this rule... it just so happens that it fits here as well.
  • 80% of discovered vulnerabilities are due to 20% of the available research.
  • 20% of blackhat hackers are responsible for 80% of all hacks.
  • 20% of all countries are responsible for 80% of cybercrime - perhaps we can block them :).
  • 5% of emails to full-disclosure contribute to 80% of the value of the mailing list - this is entierely based on my own observations.
  • 80% of viral attacks are due to 20% of virus coders.
  • etc...

The list can go on and on...

Archived Comments

anonymousanonymous awesome paper
I am familiar with Pareto, and I think the take home message from it is not the specific percentages so much as the general concept that problems and solutions are rarely matched up in perfectly equal distributions...the majority of your problems will come from a minority of symptoms and the majority of your diligence will result in a minority of your successes. It's most useful as a perspective tool for reminding us to constantly evaluate our efforts and be mindful of goals, effectiveness, and diminishing returns. It reminds us that "work smarter, not harder" is the operative phrase, that there is no such thing as fairness, and that constantly doing the same thing while expecting a different result is tantamount to insanity.
Wow, that's a fascinating mentality to use in other aspects of life. It certainly does relate very well with our line of business, security. Thanks for sharing this creative viewpoint with us.
@pdp "70% of breakins are due to internal attacks - I suspect you are familiar with this rule… it just so happens that it fits here as well" Mmmm... not according to that recent Verizon report - see here: which indicates that 73% of breaches came from external sources. To be fair, the statistic (like most statistics) is slightly misleading in that the report states that 62% of the external breaches were due to a significant internal error - so the conclusion is that breaches are a combination of both internal error and external opportunism - nothing new there I would suspect. But I like your general statements, many of which seem to hold water or would be commonly accepted as reasonable by security professionals. Unfortunately (and from a business perspective) management would want to see proof of such figures from studies and so forth to determine whether they have any basis in reality so whilst we as security professionals would agree that the ratios for your statements seem reasonable, proving them is an entirely different matter and this is where a significant amount of difficulty exists. And of course, it is only provable statistics with solid evidence to back them up I would suggest which have value, especially from a business perspective.