Term

Courtney's laws

Principles for managing system security that were stated by Robert H. Courtney, Jr.

Senses

(N)

Principles for managing system security that were stated by Robert H. Courtney, Jr.

Tutorial: Bill Murray codified Courtney's laws as follows: [Murr]

Courtney's first law: You cannot say anything interesting (i.e., significant) about the security of a system except in the context of a particular application and environment.
Courtney's second law: Never spend more money eliminating a security exposure than tolerating it will cost you. (See: acceptable risk, risk analysis.) -- First corollary: Perfect security has infinite cost. -- Second corollary: There is no such thing as zero risk.
Courtney's third law: There are no technical solutions to management problems, but there are management solutions to technical problems.

References

IETF RFC 4949 (Internet Security Glossary)Jan 06, 2026
RFC 4949 — Internet Security Glossary (Version 2)
https://www.rfc-editor.org/rfc/rfc4949.txt
RFC 4949 is published by the IETF Trust and marked as "Distribution of this memo is unlimited". Verify IETF Trust copyright/licensing terms for reuse.
Source: IETF RFC 4949 (rfc-editor.org).