What are the security implications of "good enough?" Does it reflect a cynical belief that just the impression of good security is sufficient, or does it refer to the realistic balance that must be struck between security measures and what they cost?
Jason Hiner's recent article, "The smartest thing anyone said about the end of the Bill Gates era," discusses an article in The Economist called "The meaning of Bill Gates" and what it has to say about the Microsoft co-founder. Quite an active discussion with hundreds of comments has resulted, as one might expect from an article offering an opinion of Gates' legacy.
One of the common themes of discussion is that of whether the software offerings of Microsoft are, have been, and ever will be "good enough." It started innocently enough, with reference to the idea that Microsoft Windows and DOS were "good enough" software, which allowed them to flourish in the market. Innocence didn't last long, however, and soon people were disagreeing vehemently over whether MS Windows is actually "good enough" for everything in general or even for anything in specific, whether anything else (particularly MacOS X and Linux distributions) was "good enough," and whether "good enough" was even a good thing.
Some of the comments in that discussion that are most contentious are those that offer clever or literalist statements that "good enough" either is, or is not, good enough. After a lot of arguing back and forth, TechRepublic community member Techno Rat offered the following observation:
Good enough is a generalisation that is unlikely to have the same meaning for different people
The statement serves as something of a sanity check -- because, unless you establish an in-context meaning for the term "good enough", people are likely to begin arguing at cross purposes and disagree at great length without ever discussing exactly the same thing. One might call Techno Rat's statement a sanity check, which is appropriate considering the context: a lengthy debate that sprang up in response to an article in the Tech Sanity Check Weblog.
Being naturally inclined to think about the security implications of things, I predictably wondered . . .
What are the security implications of the term "good enough"?
Left to itself, the term "good enough" means very little, if anything at all. It requires context and intent to add up to much of anything. With some context applied, but no clarification of the speaker's intent, "good enough" may just muddy the waters and fail to add anything meaningful to discussion. For instance, saying that the security of Microsoft Windows is "good enough" just spawns a lot of debate, because it is "good enough" for some purposes and not for others, or it is good enough for some people and not for others, or it may even refer to a philosophy of development that is, in fact, more than one philosophy -- depending on how the developers and project managers define "good enough".
To add anything to the discussion, a reference to "good enough" must also make it clear what exactly the speaker means by invoking that phrase.
"Good enough" is "good enough."
One meaning behind the statement "security is good enough" suggests that security is not an absolute end result of following good practices, because there's always more that can be done to improve security. Eventually, you just have to stop worrying about security and get on with using what you've secured, with the belief that the level of security you've achieved is good enough for your purposes.
Such a use of the term "good enough" is a good one. It shows that you've considered security, implies that you've assessed the risks involved so that you can make an informed decision, and are aware that ultimately the security measures in place must serve your needs, and not effectively replace your needs. In other words, it is a meaning that shows an awareness of the needs of good risk management policy.
This is the kind of "security is good enough" statement that makes for good security practice. To ensure you are doing the best you can for whatever entity requires your security expertise -- whether it's your employer, your client, or even yourself -- you must perform a risk assessment, balancing the security risks you face against the opportunity costs of addressing those risks, and determine what security measures should be employed to ensure that your security is good enough to meet your needs.
"Good enough" is not "good enough."
Another meaning of "security is good enough" is the mostly intrinsic meaning of the term in a software industry corporate context, where software vendors must obviously weigh the importance of security measures against costs, and measure it by the standards of marketability. To major, established software industry corporations such as Microsoft, the true value of security measures in software design and development is in creating a marketable image for the software.
What really matters to the powers that be within these corporations is the public perception of security, which in turn encourages a certain amount of actual security effort -- but to the extent that perception can be built more cheaply than by building actual security, that actual security will almost invariably be neglected. Security only needs to be good enough to promote an impression of security, which in turn only needs to be good enough so that the majority of the customer base will not go elsewhere for its software.
This is the kind of "security is good enough" statement that makes security experts cringe. Taking this approach to security tends to ignore the actual security needs of whatever entity requires your security expertise. A market-based approach to "good enough" like this one does not involve a meaningful risk assessment for the resources you must actually secure, unless you are the corporation trying to sell software according to this particular philosophy of "good enough".
Different contexts impose different meanings.
Of course, in the boardroom, and in the marketing department's offices, these examples of intended meaning for the statement "security is good enough" are reversed, in terms of which really is good enough and which is not. When, where, and to whom you say something is good enough determines how the statement will be received, and to ensure your meaning comes across clearly, you must ensure that you convey your intended meaning with more than just an assumption that people will understand you.
There are, of course, numerous other possible meanings for the term "good enough", but these two are among the most common and important when discussing matters of security in the software industry. Whatever meaning you have in mind, though, make sure you make it clear. After all, without a common basis for discussion, we will find it quite difficult to make any progress at all -- and progress is the point.