The Very Hungry Defender: Metamorphosing Security Decision-Making by Incorporating Opportunity Cost

Note: Presentation times are in Pacific Standard Time (PST).

Thursday, January 26, 2023 - 3:30 pm4:00 pm

Kelly Shortridge, Fastly, Inc.


Information security is often seen as a drain on the organization and defenders struggle to prove the value of their decisions to the rest of the organization. Security teams usually consider the narrow benefits of implementing a defensive measure for their own goals while ignoring the variegated costs they impose on the organization, its employees, its users, and even society. Therefore, information security is in continual danger of suboptimal outcomes and missed opportunities.

Opportunity cost can help transform information security programs from an organizational drag to an uplifting force by considering the foregone benefits of alternative options. This talk explores the importance of opportunity cost in security decision making and why defenders must incorporate different forms of cost in every decision. Drawing on cross-disciplinary research on opportunity cost in complex system domains, we will examine the tangible and intangible costs and effects that practitioners must take into account when evaluating defensive options. Through this lens, we’ll discuss negative externalities beget by security investments and how “cost” is far more than just money. To make these concepts more concrete, we’ll close with practical examples from the realm of application security to demonstrate why opportunity cost – and an appreciation of the kaleidoscopic nature of "cost" – is essential when making defensive decisions.

Kelly Shortridge, Fastly, Inc.

Kelly Shortridge is a Senior Principal Engineer at Fastly. Kelly is coauthor of Security Chaos Engineering (O'Reilly Media) and an expert in resilience-based strategies for systems defense. Shortridge has been a successful enterprise product leader as well as a startup founder (with an exit to CrowdStrike) and investment banker. Kelly frequently advises Fortune 500s, investors, startups, and federal agencies and has spoken at major technology conferences internationally, including Black Hat USA, O'Reilly Velocity Conference, and RSA Conference. Kelly’s research papers have been featured in Communications of ACM, IEEE, ACM Queue, and Human Factors and Ergonomics Society, spanning behavioral science in information security, deception strategies, and the ROI of resilience. They also serve on ACM Queue’s magazine editorial board.
@conference {285651,
author = {Kelly Shortridge},
title = {The Very Hungry Defender: Metamorphosing Security {Decision-Making} by Incorporating Opportunity Cost},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jan,