Lampson noticed that, in spite of significant advances in the information security area, such as subject/object access matrix model, access control lists, multilevel security using information flow and the starproperty, public key cryptography, and cryptographic protocol, the many information systems are vulnerable to inside or outside attacks. Security setup takes time, and it contributes nothing to useful output and, therefore, if the setup is too permissive no one will notice unless there’s an audit or an attack