November 30, 2004

"Amateurs study cryptography; professionals study economics."

Udhay alerted us to a new aphorism (a short pithy instructive saying) from AMS on cryptography which I thought worth sharing:

"Amateurs study cryptography; professionals study economics."

This immediately made me think of the military aphorism of "amateurs study tactics; generals study logistics." Lo and behold, here is what AMS said, in full, over on his blog:

"I've come up with (writes AMS) an aphorism that captures my feeling about where the effort in building secure systems needs to go. Echoing the old saying about the importance of tactics versus logistics in military studies I say:

Amateurs study cryptography; professionals study economics."

Ha! It's pretty neat. The only thing I'm unsure of is whether it should be economics or risk. But as I roll it around my mind, I keep coming back to the conclusion that in the public's mind, the popular definition of economics is closer to the image that we are trying to convey. Which is to say, when we say economics, people think of something close to risk.

Posted by iang at November 30, 2004 07:52 PM | TrackBack

outstanding ... BTW I have often wondered where that phrase ("amateurs study tactics, generals study logistics") originated.

I know that it was *popularized* (most recently, anyway) by Clancy, I can't recall which book exactly (perhaps the one where whathisname becomes president - Executive orders, is it?) - after that book came out you saw it everywhere

An intriguing question...

Posted by: JPMay at December 1, 2004 06:56 AM

I first heard it from General Schwarzkopf in the leadup to the GW-I. Before that I'd never heard it. So that would place it around xmas/ny 1990,1991.

Oddly enough I knew the thing he was trying to express when I heard it, but was immediately impressed about how wonderful that expression was for concentrating the mind on the important thing. Also, it was pretty clear that Schwartzkopf didn't want to say too much, and there was a big deception plan going on at the time.

Clancy's book, at least that one you refer to, was 1996. But I never read it, I kind of dropped him after "Sum of all Fears" which was just becoming too fanciful, for my liking.

OK, so further net research has it as "an old saying" and the full expression is:

Amateurs study tactics," goes an old saying, "armchair generals study strategy, but professionals study logistics.

That makes more sense, because I recall hearing the second two parts, not the first part, from Schwarzkopf.

Posted by: Iang at December 1, 2004 07:12 AM

I think a large part of the problem is that the solutions pointed to by the tools of Risk and of Public Economics don't always give us the same solution. A large part of what I think econ can teach security have to do with the complex externalities of individual decisions. Should experts (security consultants for firms) think about this? Do they?

Posted by: allan at December 1, 2004 10:41 AM

I know quite a bit about both security and economics, and I find the crypto knowledge much more useful day to day in my security work. Any suggestion that cryptography is merely a plaything for amateurs is misleading and insulting to working security professionals who work to maintain their expertise in cryptography.

Posted by: Cypherpunk at December 3, 2004 01:40 AM


you may be one of those lucky people who work at a firm where the crypto part has been decided upon and it's just up to you to get that job done. From inside that crypto-focused world, it does often feel as though crypto would solve everything if only wisely employed.

But out in the rest of the world, what is required is an overall applications approach. Each component, including the crypto, has to be justified in terms of its cost and its benefit. So when we say that "economics" is needed before crypto, all we are saying is that measuring and justifying the cost of the crypto is important.

The SSL protection in browsers is a canonical example of bungled economics. Because the certs cost too much, very little is protected. Only 1% of servers use it, and the user has no control at all; because in this case crypto is "too expensive" even though other comparable systems provide crypto for free and by default.

Pulling the architecture of the SSL PKI apart to discover why only 1% of servers offer crypto leads to a succession of decisions that are basically unsupportable on pure cost grounds, as well as other grounds like basic security.

So when people admonish cryptographers for not considering economics, they have a point. Much of the cryptography world has spent the last decade pushing models that are unfounded, and we are still waiting around for the security world to catch up on that (even though cryptographers are not acknowledging it). At this point, any increase in the amount of economic common sense we can get into crypto is a positive thing.

Posted by: Iang at December 3, 2004 06:14 AM

While not really a strict subset of economics, game theory is a useful tool for analyzing security. For example, a few years ago as an undergrad, I wrote a paper on a model of computer security vulnerability disclosure. A sequential game turned out to be a very natural framework for the problem.

Posted by: Steve Sch. at December 9, 2004 10:03 AM