RE: Concepts: Security and Obscurity

[krymson () gmail com]

I really think you just like hearing yourself talk. And while you spout some common axims and economics 101 terms, they 
don't mean much to this topic. Your whole fourth paragraph, while we can agree with what you said, has nothing to do 
with the topic.

You assume that there are absolute security solutions instead of the incremental security that can be experienced by 
pairing up some forms of obscurity. I'll throw in my own axims that "security is not a state/product but rather a 
process/layering" and "there is no silver bullet to security."

You also assume that gains are minimal with all obscurity, and that they have added difficulty and lost productivity. 
That is not necessarily true.

If I have two forms of obscurity that both cost the same but together the total cost is less than the asset and thus 
worthwhile, I can't use them? I have to look for something that costs less than both those obscurities that secure the 
asset perfectly?



<- snip ->
What is forgotten is that there is an economic/financial cost to all
controls.

A control is only effective if the cost of the control provides more
utility than not having the control. Thus a control that provides some
security at a cost that is greater than another control is ineffective
overall.

Security by Obscurity is an ineffective control. The gains are minimal
in economic terms. The cost however is more than the pure cash/money
costs. The additional losses to productivity and added difficultly in
maintaining secrecy does not provide the required level of gains to
offset the costs and thus creates a dead-weight loss in economic terms.

Thus security by obscurity is no security as the costs in real economic
terms do not bring benefit.

It is of no use to spend $1,000,000 protecting a $1,000 asset. This is a
loss and thus it is not a decision that provides security as the loss
exists even before the system goes live.