leis da segurança

Estava a ler um artigo do Eugene Spafford de Purdue na CACM de Junho e este referia 3 leis da segurança atribuídas a Robert H. Courtney Jr., "one of the first computer security professionals". Entretanto descobri essas "leis" no RFC 4949. São:

Courtney's first law: You cannot say anything interesting (i.e., significant) about the security of a system except in the context of a particular application and environment.

Courtney's second law: Never spend more money eliminating a security exposure than tolerating it will cost you.
-- First corollary: Perfect security has infinite cost.
-- Second corollary: There is no such thing as zero risk.

Courtney's third law: There are no technical solutions to management problems, but there are management solutions to technical problems.