• United States



Security Spending: The Dutch Granny Bike Equation

Jan 01, 20064 mins
IT LeadershipROI and Metrics

When does it make sense to spend more on security than on the item being secured?

I recently moved to the Netherlands to accept a position as the CISO for a non-profit international organization. It rains quite a bit more here than in New Jersey, where I used to live, and when the people speak Dutch, they do so with a guttural cacophony that sounds as if they’re winding up to expel a troublesome bit of phlegm. Those adjustments aside, information security here is pretty much the same. I mean, securing a Windows 2003 server on this side of the pond is no different than in the States.

But there are some glaring cultural differences between Americans and the Dutch, and here is where it gets interesting. Dutch society is extremely ecology-minded, and practically every Dutch man and woman rides a bicycle. Naturally, my inclination when I arrived here was, When in Holland, do as the Hollanders do. But not so fast.

The first advice I got was to not buy an expensive bike. Instead, I was told to buy a good Dutch grandma bike. You know, an upright one with pedal brakes and a bit of rust on the handlebars. No fancy gears, bike seats or racing wheelsthe closer one gets to the original caveman concept of the wheel, the better.

Then came part two of the advice: Invest more money in your bicycle lock than in the bicycle. Otherwise, the bike will be stolen. (I guess all that cheese and chocolate makes for sticky fingers.)

When I first heard this advice, I wondered if perhaps it wasn’t the Dutch equivalent of a snipe hunt. I could just see myself rolling out my rickety, old grandma bike and being caught up in a maelstrom of biking Dutchmen. Lance Armstrong look-alikes would whiz past whilst I navigated my wobbly (but highly protected) bike down the the bike lane. Small children would point and laugh, and bullies would heave rotting fruit in my direction. Surely I would be the laughingstock of this bicycle-fanatic nation.

Such was not the case. The Dutch are a serious people, and they are at their most serious when it comes to bike riding. Buy a cheap bike and an expensive lock, everyone said. My security sense began to tingle.

The Cardinal Rule of Security

We’ve all heard this basic tenet of security: Don’t spend more money protecting something than the something is actually worth. Would you, for example, pay $15,000 for guards to protect a diamond that was worth only $10,000? Couldn’t you just accept it if the damn thing got stolen and save yourself some money?

Ah yes, but the economists in the audience also recognize that there is such a thing as opportunity costs.

The bicycle (unlike the diamond) actually allows us to save money that we’d otherwise spend on things such as car insurance, taxes, parking and $6-per-gallon gasoline. What’s more, the bicycle provides intangible benefits, such as the feeling of oneness with the outdoors, a sense of well-being from improved cardiovascular health and the downright joie de vivre one derives from imbibing the sheer Dutchness of it all. Thus, in terms of both actual value and derived benefit, the bicycle is actually worth much more to the average Dutch biker than it costs.

Second, given the bicycle’s intrinsic value to potential thieves, the theft of a poorly locked bicycle is a near certainty. If you don’t lock your bike, then you will have to purchase another one. The expected loss from not having a solid lock is not only the value of the present, sure-to-be-stolen bike but also the value of the next bike that you’ll have to purchaseand, if you continue to fail to lock your bike, the cost of all the future bikes that you will have to buy because you failed to protect the previous ones. Have I lost anyone here? Good.

Secure in the knowledge of these economic principles, I happily ventured forth and purchased my scruffy little granny bike and a shiny new lock. In doing so, I learned a new lesson in security: You must take into account not only an object’s monetary value, but also its opportunity cost and expected value. Now, if I could just learn to feel a bit more secure in the Dutch bike lanes.


Paul Raines is the Chief Information Security Officer for the United Nations Development Programme. In that capacity he is responsible for the information security and disaster recovery planning for the Organisation’s 177 locations around the world. Previously, he worked for the Organisation for the Prohibition of Chemical Weapons (OPCW) and, like all current and former members of the organization, shared in the 2013 Nobel Peace Prize. Prior to working for the United Nations he was the Chief Information Security Officer for Bloomberg LP and the Federal Reserve Bank of New York. He is a graduate of the United States Air Force Academy and Harvard’s Kennedy School of Government. For relaxation he enjoys opera, Shakespeare, French wine and sometimes just sitting in a cafe with an espresso and croissant reading a good book on Roman history.

The opinions expressed in this blog are those of Paul Raines and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author