| > As some people used to say, "security is binary; you either are secure or you are not". I think anyone that used to say that was just wrong. "We" (software community in general) have a much more sophisticated understanding of security than we used to, and realization that absolute security is virtually impossible. Security is always a continuum of risk management. Bruce Schneier writes: > Security is a trade-off. This is something I have written about extensively, and is a notion critical to understanding the psychology of security. There's no such thing as absolute security, and any gain in security always involves some sort of trade-off. He's not writing specifically about digital security in that quote, but since he's foremost an expert on digital security, it's safe to say his opinions on security in general apply to digital security too. It's a good essay, worth reading. https://www.schneier.com/essays/archives/2008/01/the_psychol... Here's another Schneier quote about digital specifically: > That is why security experts aren't surprised by the Sony story. We know people who do penetration testing for a living—real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker—and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren't sufficiently skilled, good security may protect you completely. https://www.schneier.com/essays/archives/2014/12/sony_made_i... |