Security Axioms
Originally posted at

Note: I don't necessarily agree with all the axioms. It just didn't seem right to rip-n-paste parts of the original page :)

  • Security and complexity are often inversely proportional.
  • Security and usability are often inversely proportional.
  • Security is an investment, not an expense.
  • "Good enough" security now, is better than "perfect" security ...never.[1]
  • There is no such thing as "complete security" in a usable system.
  • A false sense of security is worse than a true sense of insecurity.
  • Your absolute security is only as strong as your weakest link.
  • Concentrate on known, probable threats.
  • Security is directly related to the education and ethics of your users.
  • Security is not a static end state, it is an interactive process.
  • There are few forces in the universe stronger than the desire of an individual to get his or her job accomplished.
  • Security is a people problem. Corollary: People cause security problems, they don't just happen. (Submitted by Bret Watson.)
  • You only get to pick two: fast, secure, cheap. (Submitted by Brett Eldridge.)
  • Snyder's Razor: In the absence of other factors, always use the most secure options available. (You are either serious about security, or you're just fooling around.) (Dr. Joel Snyder)
  • Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello)
False Dogma (aka "bogons")
  • Security through obscurity is wrong.
  • Security must (should) be 100%.
  • Don't use security to fix social problems.
  • If you can't trust your own employees, you have bigger problems than Internet threats. (Implication: What's wrong with your company?)
  • We can always add security later. (Dave Piscitello)

Have others to add? Send them to axioms at avolio dot com
[1] "Not everything worth doing is worth doing well", Tom West, Data General, as reported in Peters, Tom, A Passion for Excellence, and "A good plan, violently executed right now is far better than a perfect plan executed next week", General George S. Patton, IBID.