Dogma
- Security and complexity are often inversely proportional.
- Security and usability are often inversely proportional.
- Security is an investment, not an expense.
- "Good enough" security now, is better than "perfect" security ...never.[1]
- There is no such thing as "complete security" in a usable system.
- A false sense of security is worse than a true sense of insecurity.
- Your absolute security is only as strong as your weakest link.
- Concentrate on known, probable threats.
- Security is directly related to the education and ethics of your users.
- Security is not a static end state, it is an interactive process.
- There are few forces in the universe stronger than the desire of an individual to get his or her job accomplished.
- Security is a people problem. Corollary: People cause security problems, they don't just happen. (Submitted by Bret Watson.)
- You only get to pick two: fast, secure, cheap. (Submitted by Brett Eldridge.)
- Snyder's Razor: In the absence of other factors, always use the most secure options available. (You are either serious about security, or you're just fooling around.) (Dr. Joel Snyder)
- Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello)
False Dogma (aka "bogons")
- Security through obscurity is wrong.
- Security must (should) be 100%.
- Don't use security to fix social problems.
- If you can't trust your own employees, you have bigger problems than Internet threats. (Implication: What's wrong with your company?)
- We can always add security later. (Dave Piscitello)
Have others to add? Send them to
axioms at avolio dot com
[1] "Not everything worth doing is worth doing well", Tom West, Data General, as reported in Peters, Tom,
A Passion for Excellence, and "A good plan, violently executed right now is far better than a perfect plan executed next week", General George S. Patton,
IBID.