Are Security Analogies Usually Wrong?

I just ran across a post from Michael Howard’s blog from March which claimed that security analogies are usually wrong. I’m not sure that I can agree with that statement. He finds that argument by analogy is weak. I don’t know his job role at Microsoft, but it seems rather technical and developer oriented. I suspect that if he was in the position to like be an evangelist for Microsoft Security with CEOs and I.T. people he would find that analogies are often the best way to get the point across. With fellow developers/computer scientists the emphasis should be on hard fact, but that doesn’t mean you’d talk that way to an end user. They’d be lost in no time. Analogies do help convey meaning to non-technical people. Analogies can also be imprecise.
What would he say when Jesper Johansson spends 15 minutes at a Microsoft Security Summit comparing defense in depth to a castles defenses? Should Jesper be chastised for using analogies? Of course not.
The one example Michael gives is attacking by analogy and there I agree with him. When people say “software security sucks, imagine if bridges were built the same way” I think they give away their ignorance about bridge building and software design.


  1. Oracle CSO Opens Mouth, Inserts Foot

    As reported by, Oracle CSO Mary Ann Davidson got near a microphone and begin pontificating on the state of security. First she blammed the “culture of patching” that software people need to think in terms of safety security and…

  2. Pingback: » Oracle CSO Opens Mouth, Inserts Foot - Roger's Information Security Blog

Comments are closed.