Fast, Cheap and Good: Lightweight Methods Are Undervalued
Adam Shostack
TL;DR
This paper advocates for valuing lightweight, fast, and cost-effective security methods, challenging the notion that only comprehensive approaches are valuable, supported by case studies and evaluation criteria.
Contribution
It expands security analysis paradigms to include lightweight methods and provides case studies and evaluation criteria for these approaches.
Findings
Lightweight methods are often sufficient in industry.
Case studies demonstrate effectiveness of fast, cheap security tools.
Evaluation criteria help assess lightweight security practices.
Abstract
Engineering techniques to address the endless parade of security issues are an important area of research. Properties of practices in industrial use are rarely studied. Security workers satisfice. There is a widespread perception that security work must be cumbersome, and thus there's no value to assessing levels of effort. This is complemented by a belief that the nth day of work will produce value equal to the first. These perceptions impact both practice and research. This paper expands the acceptable paradigms for security analysis to include the fast, cheap and good enough. "Nothing" is often enough for industry. This paper makes a case for valuing lightweight ("fast and cheap") methods, presents a set of case studies and evaluation criteria for such tools, including card decks and role playing games.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInformation and Cyber Security