Presumed security explained

Presumed security is a principle in security engineering that a system is safe from attack due to an attacker assuming, on the basis of probability, that it is secure. Presumed security is the opposite of security through obscurity. A system relying on security through obscurity may have actual security vulnerabilities, but its owners or designers deliberately make the system more complex in the hope that attackers are unable to find a flaw. Conversely a system relying on presumed security makes no attempt to address its security flaws, which may be publicly known, but instead relies upon potential attackers simply assuming that the target is not worth attacking. The reasons for an attacker to make this assumption may range from personal risk (the attacker believes the system owners can easily identify, capture and prosecute them) to technological knowledge (the attacker believes the system owners have sufficient knowledge of security techniques to ensure no flaws exist, rendering an attack moot).

Although this approach to security is implicitly understood by security professionals, it is rarely discussed or documented. The phrase "presumed security" appears to have been first coined by the security commentary website Zero Flaws.[1] The article uses the Royal Military Academy Sandhurst as an example, focusing on the apparent lack of entry security and contrasting it against the presumed security a military installation will have. The article also details the flaws inherent in a trust seal such as the Verisign Secure Site seal, and explains why this presumed security approach is actually detrimental to an overall security posture.

Notes and References

  1. Web site: Zero Flaws: Presumed Security . 2009-08-23 . bot: unknown . https://web.archive.org/web/20121016233317/http://www.zeroflaws.net/presumedsecurity . October 16, 2012 .