Tuesday, August 3, 2010


Here are some of the Physical Security Maxims of Security Guru Roger G. Johnston, Ph.D., CPP of the Vulnerability Assessment Team, Argonne National Laboratory.

Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).

Comment: We think this, because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa.

Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.

Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”.

Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product.

Comment: Fear is a good vaccine against both arrogance and ignorance.

So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it.

Comment: Security looks easy if you’ve never taken the time to think carefully about it.

Weakest Link Maxim: The efficacy of security is determined more by what is done wrong than by what is done right.

Comment: Because the bad guys typically attack deliberately and intelligently, not randomly.

Safety Maxim: Applying the methods of safety to security doesn’t work well, but the reverse may have some merit.

Comment: Safety is typically analyzed as a stochastic problem, whereas the bad guys typically attack deliberately and intelligently, not randomly. For a discussion of the reverse problem, see RG Johnston, Journal of Safety Research 35, 245-248 (2004).

High-Tech Maxim: The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses.

Comment: In security, high-technology is often taken as a license to stop thinking critically.

Dr. Who Maxim: “The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.”

Comment: A quote from Tom Baker as Dr. Who in The Pirate Planet (1978)

Low-Tech Maxim: Low-tech attacks work (even against high-tech devices and systems).

Comment: So don’t get too worked up about high-tech attacks.

Nowadays I work as a security consultant; I have collected eleven pages worth of Dr. Johnston's wisdom - I keep them posted on the wall by my desk at work. In designing physical security systems, and even in the evolving field of cybersecurity, I find that all of these truisms apply sooner or later. - Sean Linnane


1 comment:

  1. Lotta wisdom there.

    How 'bout this:

    No matter how prepared you are, you will be surprised.