We really wouldn't need a security industry
if everybody was honest with themselves and others. If people didn't break into other people's houses, bank accounts, commit acts that are criminal and deprive (or take advantage of) others' rights, we wouldn't need security. Remember the days you could leave your front door unlocked? Whatever happened to taking people for their word? Nowadays, you need contracts and a bunch of legal hoopla to communicate with one another.
Recall "risk" -- threat x vulnerability x asset value. Take the threat out of the equation and you no longer have a risk -- nobody would care to take advantage of it. Take the vulnerability out of the equation (like Bruce Schneier did) and you have a completely secure system. What's the most practical way to lower risk? Eliminate the threat or remove the vulnerabilities? We can't do both 100%, so what Schneier is suggesting, is unreasonable and impossible. The best we can do is work with law enforcement and justice system to remove the threat as best we can and through improved processes, create systems with less vulnerabilities.
" ....as long as people are involved, security threats can never be completely eliminated" - Viktor Cherkashin, KGB officerblog comments powered by Disqus