Security is a space in which intuition does not serve us well.
Therefore, I have formed the habit over the decades of starting the answer to questions that are put me with the words, "The principle is…….."
Having stated the guiding principle for my answer, I go on to answer the question.
This procedure does not always lead me to a simple and correct answer but it has served very well to prevent me from giving erroneous answers.
For example, one of the questions frequently put to me is, "Is thus-and-so mechanism secure."
The temptation to answer this question yes or no is often so strong as to be almost irresistible.
However, in this case the principle is, "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment."
Restating the principle reminds one that answering the question as asked invites one to say something foolish .
Thursday, January 21, 2010
Subscribe to:
Post Comments (Atom)
As I read this, the principle is stating that security must be viewed as a system. According to management guru Russell Ackoff, a system has three properties. First, the behavior of each element has an effect on the whole. Clearly this is true for information security. Second, the behavior of elements and their effects on the whole are interdependent. This is true also; stronger password policies may lead users to write them on post-it notes. Third, no independent subgroup of components can be formed. According to Ackoff's definition security does indeed fit the definition of a business system.
ReplyDelete