Unusable Security for Attackers

One of the things that makes security research different from other research is the presence of attackers, potentially or in actuality. The early research I was exposed to barely touched on the attacker. The Trusted Computer System Evaluation Criteria from the 1980s had hardly a whisper of functionality specifically for countering attacks, beyond auditing security relevant events. When we were researching and composing secure systems, most of us thought that antivirus, when it emerged, was a fool's game. Who could possibly catch all the different ways an attacker might go about breaching a system? The first question put to a presentation on intrusion detection system (IDS) research was predictably "How did you know that the system was free of attacks when you baselined it?"