Hagai Bar-El

Is more security always better?
Posted on: 6 January 2007

This depends on who you ask. Some people think that the more secure a system is, the better; with no exceptions. This school of thought is often attributed to product vendors. This approach helps them believe (and thus convince) that their product is a great buy, regardless of the situation. This approach is also common among information security newbies who believe that an additional requirement or mechanism can only make you more resistant, not less, and thus is always worth adding. The fancier of these guys call it an additional “layer”, so they sound more confident.

I guess it can be told by my tone so far that I disagree. Making a system or a network more secure is sometimes worthwhile and sometimes it is not. The nice thing is that the value of the worthwhile parameter of a system is not dependent only on the level to which the system can resist attacks. There are at least two types of cases in which the “more secure = more worthwhile” principle is broken. The first is when more security is not desirable, due to the objectives of the system. The second is when more security is desirable, but the cost is too high to make it all-in-all worthwhile.

A more secure system is not always better for you; it depends on the system and on you. Some people who use the easy-to-break built-in password protection for their documents do not use this mechanism to protect themselves against the CIA. They actually would like to know that there is a password-cracking program somewhere that they can reach for, if they ever forget their password. If they are more likely to forget the password than they are to face an attacker who will actually bother on a locked document, then they made the right decision. Think of a fancier example: Say you have a wireless network and you like to be able to repudiate your networking habits. Will you prefer WEP (weak) or WPA (strong)? Probably WEP. WEP will protect your network against your elderly neighbors, so they cannot use your ISP connection. They will not bother to break your WEP key, and if they do — no big deal. What will the more secure WPA give you? The network traffic is sent in the clear anyway from your router onwards, so using WPA will not make your networks secrets safer. On the other hand, if someone ever accuses you for doing something on-line, using WPA will probably make you unable to claim it was someone else using your wireless network connection. Less security is actually better for you, in this particular case.

Sometimes more security is a blessing, but not when considering the costs. Sometimes the cost is also in the currency of security, which makes the case a paradox. The heroic view of security makes people forget that security, like other aspects of system design, is all about cost-benefit. When deciding on the addition of a security measure, one must ask two questions. One question is “how much added value in security am I getting by this measure?” The other question is “what am I giving in return?” It is not too difficult to quantify the costs. It's not as easy to quantify the marginal increase in security. However, this equation must be evaluated. Too often we see extra security measures being deployed for huge costs and yet for a negligible increase in security, considering the real threats. When this happens, you get more security in a bad overall deal. If you are less lucky, you also get less security. Here are a few examples from my own experience:

• Someone suggested to replace a virus filtering server with a sequence of two identical servers to counter a case in which one server is malfunctioning for some circumstantial reason and fails to detect a virus. This is ridiculous. If the servers are identical, the situation in which one server passes data through and the second server saves you is unlikely at best. On the other hand, the extra cost in dollars and in latency is with you at all times. The proposed change will make the system slightly more secure, but it is obvious to almost everyone that it is just not worth it.
• A product was designed to use AES-256 because “it is better” than AES-128. However, the keys were ephemeral keys that were negotiated using a protocol that felt quite okay with AES-128. In this case, there was no effective security increase by the use of AES-256, just an effective cost.
• Of course, there is the debate about national IDs as an anti-terrorism measure. The costs are known to be enormous. Not even half as known are the risks that will be mitigated by these IDs.
• Sometimes you pay for security in security: There was a network used for a few security-savvy individuals. The passwords were set to be long and extremely strong (that is, random). One day the administrator had a great idea for a security boost: why not require the passwords to expire every week with a practically endless history cache to prevent repeats. If the passwords are extremely strong and are handled properly, there is no need to replace them. On the other hand, no user can remember a new strong password every week. This administrator was just calling for good law-abiding people to start using post-it notes.