3
owner of a new business and were concerned about how to be profitable and be secure, everything
that you’ve read so far may not help. So, let’s start by making a category mistake. What? Why
would we want to do that? Because this category mistake we are about to make will actually help us
on the road to developing a more sensible way of talking about security: Security is about people.
In 2006, 42,642 people were killed in fatal automobile accidents in the United States (FARS,
http://www-fars.nhtsa.dot.gov/Main/index.aspx
). From 1994 to 2006, the rate of traffic fatalities
is between 40,716 and 43,510 people, per year (Ibid). Many automakers invest heavily in safety
features for their vehicles and these features have saved many lives. However, one can also see that
a great deal is missed by assuming that a vehicle’s safety features are the only thing important when
in comes to being safe on the roads. Far more important are the people on the roads, the training
they’ve had, the decisions they make, and the environment they are operating in. The same is true
regarding security. While some may object that security doesn’t have much to do with such a
gruesome statistic, on the contrary, many of the same technologies used to buy a book or music over
the Internet are used by hospitals, police departments, fire departments, and power grids. In short,
the very infrastructures that people rely on to help them and keep them safe use the same technologies
that make the news for being hacked. Not a comforting thought.
Viewing security as a holistic enterprise is a bit complex and is can be intimidating. Usually, when
presented with complexity, people try to simplify it. Whether they know it or not, they are often using
a form of Ockham’s Razor.
Ockham’s Razor
Ockham’s Razor is a common sense principle that basically says the following: If you are trying to
explain or predict the behavior of something, use the theory with the least amount of assumptions,
everything else being equal. This principle lends itself well to security considerations as it tends to
show how flexibility and complexity can be viewed as untested assumptions. For instance, there are
a wide variety of ways to secure a communication session. For a given level of security that is
desired, these various ways can be compared in terms of their flexibility and complexity. By viewing
flexibility and complexity as untested assumptions, Ockham’s razor can be applied to eliminate those
methods with more untested assumptions than other methods, all else being equal.
Ockham’s Razor Misapplied
There was a popular comic strip in the US called “Calvin and Hobbes” drawn by Bill Watterson.
Calvin, a boy of about six years old, would often ask questions that his dad could not or would not
honestly answer. Rather than explaining, his dad would invent answers. For example, he told his
son that the wind blew because trees were sneezing, or that the sun set in Arizona near Flagstaff, or
that the world really existed in black and white until it turned into color in the 1930s. After these
explanations, Calvin would breathlessly tell his mom that someday he wished he could be as smart as
his dad. When coming to learn a new topic like security, everyone should have the inquisitiveness
(but not necessarily the innocence) of Calvin. Unfortunately, after hearing more than a few security
consultants and analysts talking over the years, one could come to the conclusion that they were
heavily influenced by Calvin’s Dad.
Explaining that the wind blows because trees are sneezing is a very simple explanation and would
seem to fit Ockham’s razor rather nicely, as compared to mathematical weather models.
Unfortunately, it doesn’t do very well when it comes to predicting behavior, or at least having some
good probabilities about future behavior, which is an important part of security. One could argue
that the weather man isn’t a good model for predicting weather either, but they probably do a better
job than postulating that trees are sneezing, so we’ll assume that the weather man is better.