Randomised Controlled Trials in Corporate Security

It has been acknowledged for a long time that corporate security is a complex game. While some of the digital aspects of security can be approached in many respects like engineering tasks, the majority of organisational security interventions are implemented based on logical deductions about operating principles and informed opinion regarding impacts. Interventions are picked up in a somewhat haphazard manner, as new staff are hired in security roles and bring in new ideas, as regulations are enforced by local government, and as executives and boards agree on new programs which have impact on organisational security.

What if we could encourage the adoption of a medical sciences approach to computer security? Randomised controlled trials have been used to test interventions in social systems in the past, with some success. Interventions could be tested by recruiting matched companies to test hypotheses by either adopting or not adopting a policy and observing data breaches and other indicators of damage over the course of the study period. If appropriate funding was available, perfect controls could even be generated through the creation of business entities specifically to test hypotheses.

The main possible objections are:


Would have to take the form of a study on some matter of interest where we can recruit multiple companies over a long enough period and be assured about their adherence to the role of case/control. Ideal would be to test some widely-proposed intervention.