Necessary and sufficient conditions
Posted at 08:00 on 09 November 2017
Take a look at these two statements. Are they both saying the same thing?
- "If you are using HTTPS, then your website is secure."
- "If you are not using HTTPS, then your website is not secure."
In actual fact, they are not. Furthermore, only the second statement is true: the first statement is false.
The first statement is an example of a sufficient condition. If it were true, all you would need to do to secure your website would be to install an SSL certificate and you'd be done.
The second statement, on the other hand, is an example of a necessary condition. There are, of course, other things you need to do to ensure that your website is secure: for example, take care to avoid SQL injection and cross-site scripting attacks, keep your servers patched and up to date, and so on. But you still need to use HTTPS in addition to all these. If you don't, your site will be vulnerable to a man-in-the-middle attack.
You can see the difference if I draw up a truth table for a sufficient condition:
| Sufficient condition | Other stuff | Secure? |
|---|---|---|
| No | No | No |
| Yes | No | Yes |
| No | Yes | Maybe |
| Yes | Yes | Yes |
On the other hand, a necessary condition looks like this:
| Necessary condition | Other stuff | Secure? |
|---|---|---|
| No | No | No |
| Yes | No | Maybe |
| No | Yes | No |
| Yes | Yes | Maybe |
Some conditions can be both necessary and sufficient. In this case, the truth table looks like this:
| Necessary and sufficient condition | Other stuff | Secure? |
|---|---|---|
| No | No | No |
| Yes | No | Yes |
| No | Yes | No |
| Yes | Yes | Yes |
A necessary and sufficient condition can be written as "if and only if." This is sometimes shortened to "iff."
Insufficient does not mean unnecessary.
The most common misunderstanding that people have about necessary and sufficient conditions is the mistaken belief that one implies the other. Or that a lack of one implies a lack of the other.
- It is possible for conditions to be sufficient but not necessary.
- It is possible for conditions to be necessary but not sufficient.
Take, for example, this comment:
Google is just a bully because it is so big. It can go f*** itself. A standard webpage is not insecure and the use of SSL doesn't make it secure either. Maybe everyone forgets that when SSL certs were comprised. I do work on e-commerce sites and I have seen clients who sites got hacked, not because of lack of SSL, but because of bad code on their backend. The hackers proceeded to add code so they would get emailed the credit card info after it was submitted. The user would never know, because the big green icon in the browser said it was secure. The whole thing is just a way for companies to make money.
This commenter correctly realised that SSL is insufficient but he then assumed that this means that SSL is therefore unnecessary. This is of course incorrect. SSL may be insufficient, but it is very, very necessary.
Unfortunately, in the world of IT security, there are plenty of necessary conditions. But there are no sufficient ones.