Why Systems are Vulnerable. There are many reasons why systems are vulnerable to
Security is hard and expensive. It is not easy to design systems that resist penetration,
particularly in today's world where they are connected to open networks. It requires considerable
skill and investment of resources, often involving dozens of engineers and scientists and years of
work. Consequently, many systems have vulnerabilities which allow an intruder to bypass the
security controls. In many cases, the security controls themselves introduce weaknesses.
Security is a bottomless pit. It is often said that the only way to make a system secure is to pull
the plug. It is not practical, and usually impossible, to achieve 100% security. Not only is it too
expensive, it is unachievable because not all weaknesses and attacks can be anticipated.
Vulnerabilities can be found in even carefully designed products. New methods of attack are
continually being discovered. Thus, one settles for something less than perfect, say a 90% solution
aimed at preventing the simplest and most common attacks. However, this brings me to the next
Security is complex and fuzzy. We speak about information security as though it were well-
defined and quantifiable. In fact, it is neither of these. Security policies are often complex,
imprecise, sometimes conflicting, and subject to human judgment.
Organizations are willing to take risks. Organizations generally do not demand perfect security
for their systems and information. They are willing to take risks, as they do with other assets and
technologies, in order to save time and money, to enjoy the benefits of the Internet and new services,
to boost productivity, and to ensure that their employees and customers are not denied legitimate
access. Many organizations connect to the internet knowing fully well that they may be vulnerable to
attack. Access to people, organizations, and information worldwide is considered well worth the risk.
Security is about risk management, not absolute prevention.
Developers and users have limited resources. System developers have limited resources to
spend on product development, and those resources have competing demands, including
functionality, performance, and customer support. Decisions are based on factors such as
marketability and profitability. Similarly, organizations have limited resources. Funds for security
management, products, and training are balanced with other needs of the organization. In many
organizations, the senior management do not view security as very important.
New technology is constantly emerging . New technologies, for example, to support World Wide
Web applications, bring forth new forms of vulnerabilities. In the rush to bring products to market and
increase connectivity, the security implications are not always thoroughly researched and
understood. Weaknesses are not discovered until after the products have been on the market
Security engineering lags behind the product development curve.
Security involves humans. Human beings are responsible for designing, configuring, and using
systems with security features. They make mistakes in judgment and in implementation. They take
shortcuts. They do not anticipate all possible failures. They can be conned by those wishing to