- Security and complexity are often inversely proportional.
- Security and usability are often inversely proportional.
- Security is an investment, not an expense.
- "Good enough" security now, is better than "perfect" security ...never.
- There is no such thing as "complete security" in a usable system.
- A false sense of security is worse than a true sense of insecurity.
- Your absolute security is only as strong as your weakest link.
- Concentrate on known, probable threats.
- Security is directly related to the education and ethics of your users.
- Security is not a static end state, it is an interactive process.
- There are few forces in the universe stronger than the desire of an individual to get his or her job accomplished.
- Security is a people problem. Corollary: People cause security problems, they don't just happen. (Submitted by Bret Watson.)
- You only get to pick two: fast, secure, cheap. (Submitted by Brett Eldridge.)
- Snyder's Razor: In the absence of other factors, always use the most secure options available. (You are either serious about security, or you're just fooling around.) (Dr. Joel Snyder)
- Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello)
False Dogma (aka "bogons")
- Security through obscurity is wrong.
- Security must (should) be 100%.
- Don't use security to fix social problems.
- If you can't trust your own employees, you have bigger problems than Internet threats. (Implication: What's wrong with your company?)
- We can always add security later. (Dave Piscitello)
Have others to add? Send them to axioms at avolio dot com
"Not everything worth doing is worth doing well", Tom West, Data General, as reported in Peters, Tom, A Passion for Excellence
, and "A good plan, violently executed right now is far better than a perfect plan executed next week", General George S. Patton, IBID