In this blog, we are going to take a look at the Haddon Matrix to see how it can be used to help us in information security. The Haddon Matrix does not come from the security space, or really IT at all, but rather it is a term used in Injury Prevention. It has since been adopted into healthcare, and maybe through this blog, into information security because it is a useful tool to help us prevent data breaches.
What is the Haddon Matrix
The Haddon Matrix was developed in 1970 by, you guessed it, William Haddon. Since then, it has become the most commonly used paradigm in the injury prevention field. The matrix is a grid with three rows. The rows are Pre-Event, Event, and Post-Event. The columns look at the Host, the Agent or Vehicle, and the Physical Environment. For example, there has been a significant number of injuries from car crashes. A pre-event would include everything we can do to prevent a car crash from happening in the first place. Think of speed limits, traffic lights, highly visible arrows on curves, etc. During the event, the goal is to prevent injury, think of safety ratings in cars, seatbelts, airbags, etc. And, finally, post-event makes the assumption that, in many situations, injuries are still going to occur, so we need to reduce the impact of them and get people healthy again. This includes things like spacing ambulances at the optimum ranges for a quicker response, having tow trucks available, etc.
Applying The Haddon Matrix to Information Security
In information security, this is an incredibly useful paradigm. Far too often, we focus our efforts on pre-event. When discussing with clients the importance of incident response, backups, or network segmentation, they oftentimes like to point to a pre-event factor, such as a next generation endpoint protection, as a justification for why these other controls are redundant or unnecessary. While your endpoint protection may be great, events will still happen. You can put giant pads along the side of every highway and cars will still run into each other. Similarly, there is no silver bullet in security, so things are going to happen. That user from marketing is going to click on a link they shouldn’t. We can’t live in blissful ignorance and assume an organization will never be breached.
Instead, lets consider the entirety of the matrix. When the event occurs, what can you do to limit the impact. Think of things like segmentation so that if one area is infected it is cordoned off. Also, consider factors like alerting so that we can know as soon as it happens. Finally, we want to make sure there is a practiced and efficient incident response process that allows us to quickly take action and contain the incident.
For post-event actions, think about things that will allow us to quickly recover from an incident. This includes considering all elements (IT, public relations, communication, etc.). Do you have sufficient backups and offline backups to restore? How long will that take? Is that recovery time understood by the CEO and other key stakeholders? How can you restore the image and reputation of your company?
In summary, we can borrow a paradigm in the Haddon Matrix that has been useful in healthcare, injury prevention, and others to assist us in the way we consider our security program. Yes, we should focus on preventing incidents. Hopefully we don’t have any. However, we need to consider how we can respond and restore when an incident does happen, because like it or not, it will come eventually.