Background

"The Long Tail" is a concept put forth by Chris Anderson which described the niche strategy of businesses, such as Amazon.com or Netflix, which sell a large number of unique items, each in relatively small quantities. Anderson elaborated the Long Tail concept in his book The Long Tail: Why the Future of Business Is Selling Less of More.

Anderson argued that products that are in low demand or have low sales volume can collectively make up a market share that rivals or exceeds the relatively few current bestsellers and blockbusters, if the store  or distribution channel is large enough. Research showed that a significant portion of Amazon.com's sales come from obscure books that are not available in brick-and-mortar stores. The Long Tail is a potential market and, as the examples illustrate, the distribution and sales channel opportunities created by the Internet often enable businesses to tap that market successfully.

Application to Security

In the Risk management or security world we focus on the “head” which are the common or major risks we face or hear that others faced. Needless to say all our protection efforts & postures are deployed to protect against the “head risks” and rightly so. E.g. when we decide to put up some applications or services on the Internet, we ensure we protect the application against risks such as the OWASP top 10 vulnerabilities, malwares, infrastructure security etc. Content security aspects such as spam filtering, antivirus etc. become “head risks” when we talk of email systems.

Time and again we get faced with risks which lie in the “long tail” which we haven’t thought of or heard of. E.g. Terrorists hacked into the home WiFi network of Keith Heywood in Mumbai and sent out an email about their impending attack minutes before 19 explosions killed 49 and wounded more than 200 people in Ahmedabad. Since then WiFi access point security has got attention all across, with the Mumbai Police now planning to test open WiFi access points across the city and would issue notices & citations to the users found using open WiFi access points. Suddenly WiFi access point security has moved from the the “head” with everyone taking about it and taking appropriate protection measures.

The question which challenges us is would we face a situation where it’s said that “We got attacked more using vulnerabilities today, which were not exploited at all till yesterday than those which were exploited till yesterday”. Like what Amazon said about the Long tail.

Sounds complex isn’t it; well, we are already facing this issue, “How do we protect ourselves against those seemly obscure risks which suddenly might become important?”.

The answer is not simple and its implementation is possibly more difficult. What is required is a comprehensive Risk management framework which would help us identify our assets, its weaknesses, the probability of attacks and hence the risk. We should also consider the current security posture we have and then the residual risk. What is critical is that this framework needs to be “live” and “in use” all the time, doing it once won’t help. This should be part of normal business function which would help us identify new or modified risks all the time

We can never say we are 100% safe and protected, what we owe to ourselves and our business is doing all we can to protect our information technology assets.