During my workshops, one exercises students perform always is the identification of mission, purpose, user categories and their needs, and then looking for a balance between those needs which sometimes are contradictory.
Consider shareholders and customers. It is easy to increase prices and give shareholders more money. It is also easy to give away shareholder earnings as customer discounts. Both those approaches provide a short-term improvement of one user group category at the expense of the other group, and in the long run, will bring negative consequences.
What I am going to add to this exercise today, is the identification of negative users and negative needs. Those will be people that you do not want to serve and needs that you do not want to meet. I find it valuable because it enriches the context - suddenly, you look at what you have through the prism of what you do not want to have, and all the security considerations become a vital part of the value chain.
I have always felt that security was never a standalone need, it was just considered to be a cost/risk mitigation, and therefore it evaded conscious analysis. I was assuming that every component should be secured, and that it was up to this component to define what security measures are appropriate.
Such an approach is still true for some components, but thinking about a company as a whole requires us to look at the security from a broader perspective… and I believe this can be achieved only by determining what users you do not want to serve.
Heavily inspired by https://twitter.com/tomskitomski/status/1001727845297684480.
Edit: turns out there is some research in this aspect already happening: https://pdfs.semanticscholar.org/0f36/8606ceb5c2374da707a38d668c99a3ebdfa9.pdf.