Information danger

In the entire information security industry, I have always been confused by the ideological contradiction between what people involved in information security are doing and how they call their occupation.

There are no objective methods for assessing the security of an information system. All existing methods can talk either about danger (so it’s impossible, it’s impossible, there’s a hole), or to talk about the system’s compliance with some requirements of a certifying authority ... And here, attention, watch your hands, these requirements are called safety criteria . Like, was certified to SFOD-12, then it is safe. The main thing is to have a piece of paper. And the authors of this piece of paper are puffed up more impressively, in order to prove with authority that there is no place to be safer.

The reason is in the non-constructive sense of the word "security." What is a "secure system"? This is a system that does not have a part of the functionality (for example, which does NOT give access to information, or which does NOT provide any function). Thus, a secure system is a system in which EXCEPT described in the TOR, there is NO OTHER functionality.
')
If we translate into the language of mathematics, then we take a finite set of functions (technical task), calculate its addition . Supplement to what? In, this is the main question that does not describe modern information security. Addition to a set that we do not know, which is infinite (or, if finite, then beyond the limits of the visible boundary for us). We describe in this infinite set separate types of attacks, bad configurations, design errors, etc., but it is like listing segments on a set of real numbers.


To make it completely clear: Suppose we reduce everything to a number line. The segment from 1 to 2 is our functionality. The rest is incomprehensible to us functional, the area of ​​"danger"

So, comes the security expert who says:

if we have 0, this is 0-vulnerability.
If we have e, then this is exponential vulnerability.
If we have π, then this is a trigonometric spherical denial of service.
If we have a segment from 10 to 99, then this is a lot of specific two-digit attacks.
If we have a segment from 100 to 999, then these are three-digit attacks.
If we have attacks less than 2, but greater than 1, then these are top-level attacks.

The principle is clear? An expert can publish an unlimited number of lists of any degree of detail, with any set of ranges - but he will never cover the whole set of real numbers with them.

This is exactly what information security is doing - enumerating individual segments of an infinite set.

By itself, the discipline is quite clear, necessary, important ... But as long as we do not start to sound something about "security of an information system." It does not happen. No matter how many are listed, it’s still finite numbers against infinity. Talk about danger - yes. About security - no.

But the market requires security - and the simple “well, I’m not going to say about security, but this, this and this is definitely not worth it,” comes the ridiculous wrapper - “system security level.” ... We have audited the system and now it is not lim _{x → ∞} (2 / x) is safe, and lim _{x → ∞} (300 / x) is safe.

At first glance, 300 is more than 2, we can say that the system is more secure . And with a closer look - as was zero, and remained.

UPD: As the commentators kindly suggest, there is a certain “state of security”, the technical significance of which I would very much like to hear ...