31 May 2001
Science and art
If a computer were given the job of decrypting the monoalphabetic substitution cipher puzzles found in many daily newspapers, and if that computer generated and tested 100 million 26-character solution alphabets per second, it would need about 2.5 trillion years to solve just one puzzle using brute force.
Encrypting a message in such a fashion might prevent another computer from reading your e-mail or your kid from reading your Christmas shopping list, but an amateur cryptanalyst with a pencil and a sheet of paper will read your message in just a few minutes. Security isn't only a science, a matter of developing an impenetrable cipher; it's also an art, and judgment shapes the playing field as much as the niceties of algorithm and key length.
Are you most likely to be attacked from within betrayed by an employee
or without? Does an attacker have to be locked out for a day, a year,
or forever? What resources does the attacker have? It's one thing to foil a
vengeful ex-employee possessing only modest computer skills but quite another
to hold the National Security Agency at bay. What's the real value of the material
you want to protect? How much can you afford to spend before the Law of Diminishing
Returns takes over?
Recognizing there's no such thing as perfection, security expert Bruce
Schnier argued that "the historical model of threat avoidance is flawed,
and it should be abandoned in favor of a more businesslike risk management model.
Traditional security products, largely preventive in nature, embody the threat
avoidance paradigm: Either they successfully repel attackers, or they fail.
The unfortunate reality is that every security product ever sold has, on occasion,
"A security solution based on risk management encompasses several strategies," he continued. "First, some risk is accepted as a cost of doing business. Second, some risk is reduced through technical and/or procedural means. And third, some risk is transferred through contracts or insurance."