[Home]SecureEnough

MeatballWiki | RecentChanges | Random Page | Indices | Categories

Nothing can ever be made perfectly secure.

therefore: security countermeasures should be proportional to the risks associated with the breach they attempt to protect against. They should only be strong enough to provide a "reasonable" mitigation of those risks.

This is a form of RiskManagement, and plays heavily into how online communities operate.

On a wiki, where very little will be lost if pages are vandallized, the risk from vandallism may be fairly low. On a more static commercial website, the losses from a case of vandallism could be much higher - loss of trust from customers, negative publicity, etc.

In one case, it may be appropriate for anyone, without authentication of any form, to be allowed to change pages. In the other it may be more appropriate for only a very small group to be allowed to make changes, and then only after strenous authentication and through secure links.

Countermeasures should always be proportional to the risk they guard against.


A term and a joke: BestPractice? - the established level of security response for a business of that type. Below that, you are showing negligence and can be sued. Beyond that, you are being proactive, but if someone bypasses it, which proves your proactive nature was looking in the wrong way, which is also negligence and again you can be sued.

And the joke, which I've heard from more than one security guy: These two guys were camping in the woods, and a bear showed up at the campsite and started growling. The first guy took off, but the second guy took a second to slip on his running shoes. "Whatcha doin'?", asked the first guy. "You think you can outrun a bear?"

"I don't have to outrun the bear. I just have to outrun you."


Discussion

MeatballWiki | RecentChanges | Random Page | Indices | Categories
Edit text of this page | View other revisions | Search MetaWiki
Search: