In security the "80, 20" rule applies, that is 80% of the results come from 20% of the effort.

1. Most security is commonsense and far easier to implement than you imagine.
2. If you make that 20% effort the likelihood of a successful attack will fall by 80%

"The race for quality has no finish line". In security there is no point where a system can be regarded as "secure", or the situation regarded as "job-done". In their quest to "get the job done", many people waste time looking for a single "silver bullet" that will cure all their security problems. Unfortunately no such tool or solution exists.

Rather than "job-done", your security preparations and safeguards reach a point where you can't practically do much more without the effort greatly outweighing the risk or any potential return. Security is like a pyramid that starts off with shallow sides that grow progressively steeper, the higher you go. If you consider the internal area of your pyramid as the total amount of potential risk/threat, and your progress up the side as the effort you put in, you should soon appreciate the 80-20 rule.

From this analogy it should be obvious that doing a few simple things at the start achieves huge gains, however after getting a little further up the curve, the effort soon starts(appears) to outweigh the gain.

You can also apply this same rule to the number of hackers that are willing or capable to attack your system(s). As with any crime, the bulk of perpetrators are unskilled opportunists (script kiddies) who are usually eager to move on to an easier target, if they don't quickly gain entry. If you liken this to a street full of parked cars, those locked, with nothing on show, are far less appealing than the ones that are unlocked, and with items in full view. Remember that as a Security Administrator, you may have to monitor and defend literally hundreds of entry points, whereas an attacker only has to find one weakness!

The FBI recently identified twenty potential weak points in everyday computer systems, that a hacker could use to gain entry. Research showed that even despite the high profile of "security", it was unlikely that anyone had closed all twenty.

You should also remember that you need to protect your computer against accidents and unplanned natural events such as fire and flood. After all if your business was to suffer a catastrophic event, your first task should be to restore normal operations.

No matter how many precautions you take, there comes a point where you can't (realistically) do anymore, as the attackers are more informed, and perhaps better equipped, than you are. This is known as "acceptable risk" e.g. if your office is next to a river, there is always a risk that you could be flooded, however if moving is not a option, then you have to accept the risk. You may decide to take other remedial steps (E.g. moving computers upstairs), or to employ professionals to further reduce your risk, but this has to be balanced against the cost.

Despite many recent high-profile incidents, security is still hard to sell to businesses, and thus you must take great care when presenting your case! The key to convincing managment.is to avoid concentrating on complex technical issues, and to highlight the potential impact to the business. E.G: If you are a bank then loss of reputation would be highly likely to cause a loss of custom, and therefore profits. Return on security investment (ROSI) is also very difficult to sell as it is almost impossible to accurately quantify an invisible problem, or unseen enemy, thus you should always take great care to record the details of any security incident, and to try to put a cost on any time or loss of data. This cost should also reflect any effort required to return your system to service, and to take preventative steps to avoid a repeat attack.