Management Principles

Four principles commonly describe the phases for evaluating a system's business aspects. They are Schedule, Cost, Marketability, and Margin. At the risk of losing some of the developers reading this book, we feel that we must cover these areas because looking at the security and development trade-offs without looking at the business aspects can encourage certain trade-offs that may adversely affect the ultimate system. These business concerns directly affect the security/functionality trade-offs made during design, development, and production. The biggest problem is that if the system is not properly designed at the beginning, the time and cost involved in retrofitting it to perform as desired can be overwhelming. Unfortunately, these trade-offs often come to light several stages into the project, usually at the testing phase. Our point is this: You cannot test functionality, security, or any other -ity into a system; it must be designed in from the start and carried throughout the entire process.

Schedule

Schedule is the principle that, to bring the project to completion, the system have a plan associated with the activities. A schedule relates resources to tasks and provides a means to manage resources in relation to time and effort. It also provides detailed resource requirements, including the number and type of resources for given parts of a project. A schedule also allows managers to determine critical points or milestones in the development process and ensure that the project is given adequate attention at these times.

Cost

Cost is the principle that the system have tangible costs associated with its development and maintenance (and exit strategy) and that these costs be known and linked to specific parts of the development. Knowing these costs enables managers to anticipate cash flow needs and capital expenditures as a project progresses.

Marketability

Marketability is the principle that the system have a consumer base, that there be a need for this product or service, and that the product or service have a differentiator to distinguish it in a positive manner from its competitors.

Margin

Margin is the principle, or more accurately, measure, that the product be sold for an amount greater than the costs associated with producing, distributing, and selling the product. This difference between what a consumer is willing to pay for a given product or service and the cost to deliver that product or service is the profit or margin.

Security analysis examines all these common principles and determines the best trade-offs to protect the system effectively while maintaining control over other principles of interest. To be complete and useful, any system analysis from a risk perspective must consider all these factors to determine overall risk. Many who claim to perform security, software, or some other form of risk analysis consider only portions of these principles. Security or software analysis cannot truly be useful unless all the principles are considered when recommendations or mitigations are provided.