Defining Security: The Difference Between Safety & PrivacyWords matter, especially if you are making a case for new security measures, state-of-the-art technology or personnel.
Have you ever had a moment where you were reading something and suddenly doubted your comprehension of a particular word? I had this experience recently, about the meaning of the word "security." As someone whose job title includes security, it was a particularly perplexing moment. At the same time, it cleared up a lot of confusion I’ve had about how security is viewed by its various constituencies.
For most of us, our first introduction to the concept of security is in the physical realm – perhaps in a contact with security guard or a security checkpoint. The former is like a monitor whose job is to stop dangerous things already happening. The latter is more active – in a search to exclude suspicious or dangerous people or things.
Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.
The more active type of security checks are being used with increasing frequency to improve public safety, but this is leading a lot of people to feel more vulnerable. Computer security tips caution people not to leave our devices in places that are out of our sight or control, and not to give strangers access to our devices because these actions increase risk. It could be argued that when something increases the risk of theft of devices or data, it should not be called security.
These checkpoints and their digital equivalents exist on a spectrum from "easily acceptable to everyone" to "most people find it intrusive" depending on a few different factors that aren’t necessarily intuitive or obvious.
There are a few questions that help clarify where security lies on the intuitive to obvious spectrum:
- Is the area being secured a private residence or business?
- If the secured area is public: are you inspecting everyone and everything and removing whatever or whomever could be considered suspicious? Or are you checking a list for specifically dangerous people or items?
- Are the criteria fairly decided and equally applied? Are there effective methods to correct the list quickly if there are errors or omissions?
- Are records kept of everyone or everything that entered or exited this area?
Let’s take a bank as an example: People generally consider a bank with strong security a very positive thing. It is a private business, but one that anyone should be able to access to a certain extent. You expect that security measures will be increasingly exclusive the closer to the vault you get. Security measures that happen at the front door should primarily be passive monitoring. Access to areas behind the teller’s desk should be fairly limited. And access to the bank vault itself should be both extremely exclusive and closely monitored.
The more you stick to a blacklist approach – quickly excluding only those items or people that are predetermined to be dangerous, and logging only the positive detections – the less privacy and control are compromised. While this approach risks letting previously unknown, dangerous things or people through, the alternative isn’t exactly foolproof either. And while logging can be used to help keep everyone honest, measures must be taken to keep that information from being used maliciously.
Any time people are asked to forfeit privacy or control, it increases vulnerability. And an increase in vulnerability is a decrease in our personal security. But to achieve perfect security would require us to live in a fortified box that allowed no connection with other people. Because we homo sapiens are social animals, this vulnerability is not always negative, but it is something we should enter into with our eyes wide open.
Time to Define Terms
I would argue that there are two distinct definitions of the word security in the digital sense. There is the definition that is closer in meaning to "safety," defined as protected from danger. And there is the definition that is closer to "privacy," meaning free from being observed. Both definitions imply mitigating risk, but in diametrically opposite and often incompatible ways.
One might think that a language with around 250,000 distinct words would have enough choices that we could have enough specificity to clarify our exact meaning, but advances in technology seem to be forcing us to use existing words in very different ways. This is nothing new, though the pace of this change is accelerating.
I wish I could wave a wand and put everyone on the same page with the way the word security is used. But I realize that this ship has already sailed, and the metaphorical boat is probably rapidly approaching Point Nemo. My more realistic wish is that – especially during contentious discussions – we consider the possibility that someone may be operating with a different definition.
If you have an uphill battle ahead of you to convince someone to adopt security measures, or to allocate budget for security purchases or personnel, it might be useful to clarify what sort of security you intend to provide.
Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio