5.2 Ease of use, cost-efficiency and effectiveness

Separation of policy from implementation makes the system more accessible because it can provide a unique interface to all security modules. Instead of having to deal with different definition and configuration applications for each product or device, all subsystems can be managed centrally from within a single consistent environment. This flattens the learning curve and reduces the time and effort spent on training. When things do go wrong, logfile analysers can filter out relevant data necessary to gain understanding of what actually happened, thereby reducing the time (and to a lesser extent experience and training) needed to investigate and think of appropriate countermeasures.

A successful attack may result in data being permanently and irretrievably lost -- it is therefore better to prevent than to cure. Real-time notification implies that an alert can be given before damage is actually done (proactive), real-time response that an actual attack is countered as it is being attempted (reactive). It is also more cost-efficient. Even when things go wrong, good forensic data can reduce the time necessary to investigate into the matter and take appropriate measures to prevent a similar accident in the future. Open systems that are made up by modular building blocks enable cost-efficient acquisition and development (see paragraph 5.3).

A system that is easy to learn and understand -- and that can contribute to learning and understanding -- will automatically make it more effective. Tools that lift the way of operating the system to a higher level of abstraction prevent obvious errors in configuration, operation and maintenance, traditional holes in security systems. Remember that putting security in place is one thing, maintaining it is another -- think of our quote from [ISO97] on page . High-level definition of security policies using formal models can help in detecting conceptual inconsistencies. The fact that the system might be capable of linking events from different monitors is an example of a higher level of abstraction in operation. Automatic triggering of vulnerability scanners at regular time-intervals is an example of automated maintenance. Finally, open standard systems make independent evaluation of their performance and effectiveness possible.