Any discussion of security must begin with a discussion of threats. After all, if you don’t know what you’re afraid of, how are you going to defend against it? Threats are generally divided in three main categories.

• Unauthorized disclosure. A “bad guy'’ gets to see information he has no right to see (according to some policy that defines “bad guy'’ and “right to see'’).
• Unauthorized updates. The bad guy makes changes he has no right to change.
• Denial of service. The bad guy interferes with legitimate access by other users.

There is a wide spectrum of denial-of-service threats. At one end, it overlaps with the previous category. A bad guy deleting a good guy’s file could be considered an unauthorized update. An other end of the spectrum, blowing up a computer with a hand grenade is not usually considered an unauthorized update. As this second example illustrates, some denial-of-service threats can only be enforced by physical security. No matter how well your OS is designed, it can’t protect my files from his hand grenade. Another form of denial-of-service threat comes from unauthorized consumption of resources, such as filling up the disk, tying up the CPU with an infinite loop, or crashing the system by triggering some bug in the OS. While there are software defenses against these threats, they are generally considered in the context of other parts of the OS rather than security and protection. In short, discussions of software mechanisms for computer security generally focus on the first two threats.

In response to these threats counter measures also fall into various categories. As programmers, we tend to think of technological tricks, but it is also important to realize that a complete security design must involve physical components (such as locking the computer in a secure building with armed guards outside) and human components (such as a background check to make sure your CFO isn’t a crook, or checking to make sure those armed guards aren’t taking bribes).