Security teams are divided by the discovery and mitigation of risk.
The optimal breaking / building distribution of these efforts are difficult to reason with. Consider a security team that only:
Or:
This is wildly rhetorical, of course. It follows reasonable experience that teams won’t fall into either extreme. What’s the optimal tradeoff, though?
The entire question relates to the explore / exploit pattern.
New risks might outweigh old risks. So we should find them! But… if the risks are minor, we’ve lost precious mitigation time in the process.
How do we reason about this tradeoff in security?
Below are some non-security studies on explore / exploit in other contexts.
Feynman’s restaurant problem: Deciding whether to explore new restaurants or stick to eating at your current favorite.
The 37% Rule: Discussed by a book, 1/e
appears in several explore/exploit optimization scenarios.
Psychiatry Research: A variety of studies around explore / exploit decision making.