> It is important to remember what we're trying to defend against.  As
> many of us have learned through bitter experience, the costs and
> benefits of security systems we deploy are the important part. No one
> needs perfect security in the face of no attackers at all, and even if
> attackers are numerous, if a system has low enough failure/fraud
> rates, no one will complain much.

The design goal for any security system is that the number of
failures is small but non-zero, i.e., N>0.  If the number of
failures is zero, there is no way to disambiguate good luck
from spending too much.  Calibration requires differing outcomes.
Regulatory compliance, on the other hand, stipulates N==0 failures
and is thus neither calibratable nor cost effective.  Whether
the cure is worse than the disease is an exercise for the reader.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to