A TENET OF TELECOMMUNICATIONS SAYS the more people who access a network, the more valuable the network becomes. This is called Metcalfe’s law. Put more formally, Metcalfe’s law states that the effect of a telecommunications network is proportional to the square of the number of connected users of the system (n²). Consider a telephone system as an example. If only two telephones were on the system, the value of the system is limited. Only two people can talk at any given time. But add millions of phones and people, and suddenly the effect of the network rapidly increases. In this case, effect and value are being used synonymously. Metcalfe’s law has been expanded into related areas. For example, David Sarnoff created Sarnoff’s law, which states that the value of a broadcast network is proportional to the number of viewers. David Reed created Reed’s law, which is a bit more relevant to computer networks. He states that the utility of a network can scale exponentially with the size of the network.

This same principle can also be applied to the introduction of technology. As new technologies introduce new capabilities, the value of the network increases yet again. However, it’s also true that the more users and technology involved in a network, the more complex it becomes, and the more potential security risks are introduced. It should also be noted that the more value a network has, the more deleterious an outage will be. This further compounds the security issues.

To illustrate these points, consider what happens when you bring home a new laptop. Typically, a new computer has a new installation of the operating system, preloaded applications, and games. The number of users is one, you. The security risks are low. Then you add technology such as an Internet connection, new social media software, and more users, such as family and friends. The laptop now becomes far more valuable; however, the value comes at a cost of increased security risks. And part of that value, as well as part of that risk, is how connected your laptop is, or how large the network it is connected to is.

This increase in the number of people accessing your network, along with the introduction of new and emerging technology (such as mobile devices), has dramatically increased the number of security risks. As the user population and the diversity of technology increase, so does the need to access information. This need translates into complex security controls that must be maintained. Inevitably, this complex jumble of controls leads to gaps in protection and security risks.

This chapter examines different types of users on networks. It reviews individual need for access and how those needs lead to risks that must be controlled. We will also discuss how security policies mitigate risks in the User domain. The last part of the chapter presents case studies to illustrate the alignment between types of users, risks, and security policies.