How secure is secure enough?

July 28, 2008 (Computerworld) This story originally appeared in 
Computerworld's print edition.

If there is a Holy Grail in the information security industry, it surely is 
the answer to the question, "How secure is secure enough?"

It's a question that many security managers have either avoided answering 
altogether or tried to quickly sidestep by throwing a fistful of mainly 
pointless operational metrics at anyone who cared to ask.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list
-- 
"Never drive faster than your ANGEL can fly"

"paradoX" <paradoX@lupa.cc> wrote in message 
news:g6nisb$2ah6$1@news.grc.com...
> July 28, 2008 (Computerworld) This story originally appeared in 
> Computerworld's print edition.
>
> If there is a Holy Grail in the information security industry, it surely 
> is the answer to the question, "How secure is secure enough?"

The author pretty much answers his own question in "1. Decide how secure you 
want to be. "  That about covers it all.  Those more concerned with security 
will obviously do more research than those who don't and will implement 
(either off the shelf solutions or their own design) protections based on 
that research.  Those more concerned will also make sure their protections 
are working and keep up with potential threats.

I disagree with the analogy of the "Holy Grail" which would imply an 
all-in-one solution.  As the threads here show, there are as many solutions 
as there are users and each can justify their actions or views.  I guess the 
point of the article was there will unfortunately be so many controlling 
views there will have to be compromises to the solutions/protections.