13 Security Myths You'll Hear -- But Should You Believe?
By Ellen Messmer
February 14, 2012
Security Myth No. 1: "More Security is Always Better."
Bruce Schneier, security expert and author of several books, including his most recent, Liars and Outliers, explains why this security concept of "you can't get enough" that's often bandied about is off the mark to him. Schneier explains: "More security isn't necessarily better. First security is always a trade-off, and sometimes additional security costs more than it's worth. For example, it's not worth spending $100,000 to protect a donut. Yes, the donut would be more secure, but it would make more sense to simply risk the donut." He also notes that "additional security is subject to diminishing returns. That is, measures that reduce a particular crime -- say, shoplifting -- by 25% cost some amount of money; but additional measures to reduce it another 25% cost much more. There will always be a point where more security isn't worth it. And as a corollary, absolute security is not achievable." Sometimes security may even become a moral choice and being in compliance might be an immoral decision, as it could pertain to a totalitarian system, for example. "Security enforces compliance, and sometimes complying isn't the right thing to do."
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..