While I agree with you on most points, security is never the number one priority. If it were we'd all destroy our computers, never write anything down, and simply accept the collapse of society. Security is always weighed against many other priorities such as authorised users being able to access data, and ease of use. A unique 128 character password for each document would have high security, but be widely considered unacceptable even in a system handling classified material.
This is the crux of the issue. The CIA triad (confidentiality, integrity and availability) are the root of all security. However, those goals are often self-contradictory.
There will always, for example, be a conflict between availability and confidentiality. Ultimate confidentiality might require that the data be stored in an inaccessible bunker with no outside access. Ultimate availability might involve hosting sensitive data on a publicly accessible server with no access controls.
In the real world we must always balance these needs carefully, and triage available resources to achieve an "ideal" outcome. This means that security will never, and can never, be a solved problem.
The CIA triad comes from an agency that spies on people so I wonder if it truly is a comprehensive philosophy of security. It might be an attempt to confuse those they spy on with the intent to encourage security gaps. Philosophies of any kind are notorious for not being comprehensive or provable. Is there any research that tries to verify this philosophy? I worked on computer security for a few decades and I've never seen a justification for the CIA triad. The security community used to say that advanced persistent threats were "out of scope" because "the cost to defend against them was too high", but today they obviously are not out of scope because APT's are everywhere. Possibly the triad is a false legacy assumption as well. It seemed cool because it came from the CIA, but is it true? Even if it is reasonably true, is it complete?
As an example, diplomacy, open source, shared interests, universal basic income, and education can reduce the desire for attacking. How do these factor into the CIA triad?
I would argue that all models are inherently incomplete because they are models (IE - they are the map not the territory). Rather than worrying about completeness, it's better to ask if the model is useful, and if anything would change about the requirement for tradeoffs in security if we used a more complete model?
I would answer that the triad IS useful in this scenario and further that if we used an alternative model (The 7-C's maybe?) we would still find inherently contradictory requirements for almost every security scenario. In fact, we would just MORE more of those trade-offs, further proving that security can never be "perfect."
For example, I can think of several fundamentals the triad doesn't cover directly. Privacy and non-repudiation spring to mind as concepts that don't neatly fit into the CIA triad, but they are the antithesis of each other!
Perfect privacy would require that nobody (including data-owners) can identify the user, and perfect non-repudiation would require that no access be granted without 100% proof of the current user. Again, you are forced to choose and this means that some aspect will always be less than perfect.
> If it were we'd all destroy our computers, never write anything down, and simply accept the collapse of society.
No, this is the same sort of defeatism that prevents us from making progress on security. We could engineer usable systems where actual security is a priority, and not just security theater. We don't because nobody in a position to change anything actually gives a shit.
You’re implying any real system can have a single top priority, which is equally false. There are always multiple priorities, and the one sitting at the top changes based on the context
> We could engineer usable systems where actual security is a priority,
Security is a priority. But it's not the only priority.
It would be difficult engineering even if it was the only priority, but given that there's little point to security for a system you never deploy, it's not likely to ever completely monopolize focus, either for users or implementers.
At this point i don't think security is a priority at all for companies like MS. Marketing themselves has having security is a priority. Doing the bare minimum to avoid lawsuits is their priority.
Ultimately though, they know that no matter how many times their failure to invest in security results in their customer's data being compromised or destroyed they'll keep making money.
Their customers are corporations who have insurance to cover their expenses when Microsoft's failure to make security a priority inevitably leads to a breech and those corporations are able to avoid all accountability for their decision to use Microsoft products no matter who else gets hurt as a result.
Dealing with yet another security issue caused by Microsoft is just another cost of doing business. It's still cheaper and/or easier for the corporations to keep MS and deal with the endless vulnerability/patch cycle than it is to move to something else and pay people who know what they're doing to manage those new systems so nothing changes.
