Security Decay: An Entropic Approach to Definition and Understanding
Faculty of Computing, Health and Science
School of Computer and Security Science / Centre for Security Research
This article discusses the affect decay has within a systems approach used when implementing security strategies, in particular, the theory of defence in depth. Defence in depth is implemented within a risk management framework to reduce an organisation’s identified risks, which could lead to undesirable and unacceptable consequences. Defence in depth aims to link layered security elements into a system to ensure a holistic and functional security system, underpinned by the functions of; deter, detect, delay, response and recovery. For such a system to be commissioned and maintain its commissioning effectiveness, these functions must be performed in their sequential order and within a period of time, which is less than an adversary’s attack time. This paper argues that such a relationship between the defence in depth elements requires an orderly relationship and that factors which impede this orderliness, directly affects the security system as a whole. A method to understand such deterioration of orderliness is the concept of entropy, referred to as the steady degradation of a system. Underpinned by the characteristics of disorganisation and decay, a security system can become degraded through the reduction in effectiveness of its individual components. Such degradation reduces the effectiveness of the whole system, considered in this paper as entropic security decay. Within the risk management framework, it can be argued that as security decay increases, risk reduction decreases and therefore, risk exposure increases.