WHEN ADRIAN LUDWIG describes the ideal approach to computer security, he pulls out an analogy. But it’s not a lock or a firewall or a moat around a castle. Computer security, he says, should work like the credit card business.
A credit card company, he explains, doesn’t eliminate risk. Itmanages risk, using data describing the market as a whole to build a different risk profile (and a different interest rate) for each individual. Computer security, Ludwig believes, should work in much the same way. “The model of good and bad—white and black—that the security community prescribes?” he says. “It’s going to be all black unless we accept that there are going to be shades of gray.”