[E-Lang] defense in depth

David Wagner daw@mozart.cs.berkeley.edu
1 Feb 2001 06:31:51 GMT


Here's a handwaving argument why defense in depth might be useful
in some settings.  (I'm using the term "defense in depth" to refer
to any case where we use two protection mechanisms in series, to
ensure that if one fails in any way, the second will still be
hopefully standing guard.  In other words, belt and suspenders.)

Look at the benefit-vs.-cost curve of building a guard component.
Obviously, if you spend more, you can improve its assurance.
However, typically you never get the probability of failure down
to exactly 0%, and moreover, typically there is a point of diminishing
returns where you have to spend (say) 10x as much to reduce the
probability of failure by (say) 2x.

Now imagine that we have some way of building two guard components
so that their failure modes are independent.  (This is a really big
assumption, so I'm going to have to ask you to just suppose there
is some setting where this happens.  If it doesn't happen, all bets
are off, and defense in depth may be worthless.)  In this case, the
failure probability for their serial composition is the product of
their individual failure probabilities, whereas the cost of the
composition is the sum of the costs of the components.  In other
words, the failure probability is going down multiplicatively,
whereas the cost is going up additively.  This can be much more
cost-effective than just taking a single component and throwing
money at it (debugging it, say) until it is secure enough.

Of course, in practice you never really get this independence
assumption, or at least, it's very hard to justify it, so you just
cross your hands and hope.  In other words, in real life, it is
never this clear-cut.

Still, this seems to be the usual argument for defense in depth.
I think it is appropriate that it stands or falls on the strength
of the independence hypothesis and the shape of the cost-benefit curve.