Generally Accepted System Security Principles

P-5 Proportionality Principle

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved


Security levels, costs, measures, practices, and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability, and extent of the potential for direct and indirect harm. The principle also applies to the level of management support necessary for a successful security program.


The requirements for security vary, depending upon the particular information system and the environment in which it operates. This principle supports approaches to security ranging from minimum controls or baseline requirements to security based on managed risk. Some organizations determine security measures based on an examination of the risks, associated threats, vulnerabilities, loss exposure, and risk mitigation through cost/benefit analysis using a Risk Management Framework (see Figure "IT Security Risk Management Framework").

Other organizations implement security measures based on a prudent assessment of "due care" (such as the use of reasonable safeguards based on the practices of similar organizations), resource limitations, and priorities. The approach used and the degree it is applied will be determined by the culture of the organization.

A control or safeguard has greater value if it performs more than its primary function; e.g., deterrence, detection, prevention, and recovery. Successfully activated safeguards will mitigate targeted vulnerabilities and their associated threats, with an appropriate balance of automated and human response.