Myths, Fads and False Economies

For those of you wondering what the title is on about, I invite you download this PDF presentation (E. H. Spafford 2001, 2002) and you'll know exactly what it refers to.

Albeit rather outdated, this 26 page presentation by the Center for Education and Research in Information Assurance and Security (CERIAS) talks about valid myths and misconceptions that these days still surround us.

After presenting a (humorous) pictorial time-line of the evolution of computers, he talks some of the causes of security problems, followed by their effect and a bunch of myths that we somehow are lead to believe. In that so, he then continues to explain the reality of things the way they actually are.

How about security expertise? Spafford again shows us the reality of things amidst general misconceptions that continue to float around us.

Still valid today --- Spafford concludes with the following points which we acclaim

- Security is an unattainable absolute.
- We should be seeking high levels of trust, based on sound methods of assurance.
- Assurance is an on-going process, not a set of add-on features.

Like I very often like to evangalise during security awareness sessions I hold from time-to-time, hopefully we are now a bit more aware that...

- Security is not simple.
- Security is not an add-on.
- Quality and security are closely linked.
- Training and knowledge are critical to counter superstition and folklore … but trends and lack of resources mean we are likely to face many challenges.