Inside Risks is the last page column in Communications of the ACM. The Inside Risks column in the September 2005 issue, written by Barbara Simons and Jim Horning, discusses how hard it is to get non-technical people to understand why writing bug-free, and more importantly secure software is so hard. The article offers a nice analogy with the following caveat, “Analogy is a poor tool for reasoning, but a good analogy can be very effective in developing intuition.”

One possibly useful analogy is the U.S. Tax Code. Americans have some sense of its complexity and of the large number of people employed in its interpretation. Tax loopholes are analogous to hidden malicious code or Trojan horses in software.

The tax code resembles software in other ways as well:

• It is intended to be precise and to interface with messy realities of the real world.
• It has been developed in multiple iterations, responding to changing circumstances and requirements.
• The people who wrote the original version are no longer around.
• No one understands it in its entirety.
• It can be difficult to infer intent simply be reading a section.
• There are people who actively seek to subvert it.

Of course, there are also major differences between the tax code and software. The tax code is relatively “small” – although it runs to several thousand printed pages, Windows XP has 40 million lines of source code.