The Explore vs Exploit Tradeoff in Security

Security teams are divided by the discovery and mitigation of risk.

The optimal breaking / building distribution of these efforts are difficult to reason with. Consider a security team that only:

Or:

This is wildly rhetorical, of course. It follows reasonable experience that teams won’t fall into either extreme. What’s the optimal tradeoff, though?

The entire question relates to the explore / exploit pattern.

New risks might outweigh old risks. So we should find them! But… if the risks are minor, we’ve lost precious mitigation time in the process.

How do we reason about this tradeoff in security?

  1. Experience suggests that it’s easier to discover risks than it is to mitigate them. That is a natural reason to favor building over breaking to balance the work produced by breakers. But, this becomes less true over time.
  2. A security team shouldn’t be responsible for all mitigation work. The responsibility for security to discover risks increases when the rest of an organization subsidizes mitigation.
  3. Assume there’s no calculable optimum… but security teams shouldn’t make random tradeoffs as a result. Less breaking, more building.

Below are some non-security studies on explore / exploit in other contexts.

Feynman’s restaurant problem: Deciding whether to explore new restaurants or stick to eating at your current favorite.

The 37% Rule: Discussed by a book, 1/e appears in several explore/exploit optimization scenarios.

Psychiatry Research: A variety of studies around explore / exploit decision making.

@magoo writes about security on scrty.io