Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Defining Security: The Difference Between Safety & Privacy

Words matter, especially if you are making a case for new security measures, state-of-the-art technology or personnel.

Have you ever had a moment where you were reading something and suddenly doubted your comprehension of a particular word? I had this experience recently, about the meaning of the word "security." As someone whose job title includes security, it was a particularly perplexing moment. At the same time, it cleared up a lot of confusion I’ve had about how security is viewed by its various constituencies.

For most of us, our first introduction to the concept of security is in the physical realm –   perhaps in a contact with security guard or a security checkpoint. The former is like a monitor whose job is to stop dangerous things already happening. The latter is more active – in a search to exclude suspicious or dangerous people or things.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

The more active type of security checks are being used with increasing frequency to improve public safety, but this is leading a lot of people to feel more vulnerable. Computer security tips caution people not to leave our devices in places that are out of our sight or control, and not to give strangers access to our devices because these actions increase risk. It could be argued that when something increases the risk of theft of devices or data, it should not be called security.

These checkpoints and their digital equivalents exist on a spectrum from "easily acceptable to everyone" to "most people find it intrusive" depending on a few different factors that aren’t necessarily intuitive or obvious.

There are a few questions that help clarify where security lies on the intuitive to obvious spectrum:

  • Is the area being secured a private residence or business?
  • If the secured area is public: are you inspecting everyone and everything and removing whatever or whomever could be considered suspicious? Or are you checking a list for specifically dangerous people or items?
  • Are the criteria fairly decided and equally applied? Are there effective methods to correct the list quickly if there are errors or omissions?
  • Are records kept of everyone or everything that entered or exited this area?

Let’s take a bank as an example: People generally consider a bank with strong security a very positive thing. It is a private business, but one that anyone should be able to access to a certain extent. You expect that security measures will be increasingly exclusive the closer to the vault you get. Security measures that happen at the front door should primarily be passive monitoring. Access to areas behind the teller’s desk should be fairly limited. And access to the bank vault itself should be both extremely exclusive and closely monitored.

The more you stick to a blacklist approach – quickly excluding only those items or people that are predetermined to be dangerous, and logging only the positive detections – the less privacy and control are compromised. While this approach risks letting previously unknown, dangerous things or people through, the alternative isn’t exactly foolproof either. And while logging can be used to help keep everyone honest, measures must be taken to keep that information from being used maliciously.

Any time people are asked to forfeit privacy or control, it increases vulnerability. And an increase in vulnerability is a decrease in our personal security. But to achieve perfect security would require us to live in a fortified box that allowed no connection with other people. Because we homo sapiens are social animals, this vulnerability is not always negative, but it is something we should enter into with our eyes wide open.

Time to Define Terms
I would argue that there are two distinct definitions of the word security in the digital sense. There is the definition that is closer in meaning to "safety," defined as protected from danger. And there is the definition that is closer to "privacy," meaning free from being observed. Both definitions imply mitigating risk, but in diametrically opposite and often incompatible ways.

One might think that a language with around 250,000 distinct words would have enough choices that we could have enough specificity to clarify our exact meaning, but advances in technology seem to be forcing us to use existing words in very different ways. This is nothing new, though the pace of this change is accelerating.

I wish I could wave a wand and put everyone on the same page with the way the word security is used. But I realize that this ship has already sailed, and the metaphorical boat is probably rapidly approaching Point Nemo. My more realistic wish is that – especially during contentious discussions – we consider the possibility that someone may be operating with a different definition.

If you have an uphill battle ahead of you to convince someone to adopt security measures, or to allocate budget for security purchases or personnel, it might be useful to clarify what sort of security you intend to provide.

Related Content:


Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2017 | 12:51:40 PM
The Popularity of Privacy Over Security
I credit this confusion some folks have (not just outside the industry but inside, too) between the definitions of these two words to the very successful campaigns of groups like the Free Software Foundation and Electronic Frontier Foundation.  Encouraging encryption, the use of tools like PGP/GnuPG and leveraging the legal genius of folks like Eben Moglen (Software Freedom Law Center) successfully framed a dialog about "privacy" that slowly became part of the popular consciousness, eventually inseparable from our conversation about "security" because the tools to secure both often were the same, or overlapped.  I like these folks, so I'm not saying what they do isn't important but it still contributed to this confusion, IMHO.

Stories about folks like Aaron Swartz (R.I.P.), Ed Snowden and Julian Assange also then became more about the "privacy" discussion than "security" when, in many cases, it really should have started with a discussion about security.  I'm not taking a stance against privacy, or making a comment for or against these folks or organizations like Anonymous.  Rather, I'm pointing to the evolution of how we as consumers of word meaning and media stories got here.  I also see a lot of credit going to the tech legal eagles who have fought hard to blur lines to secure rights to "privacy" for the individual but also (not intentionally, I'm sure) threatening "security" in the process by 1) causing this confusion in meaning and 2) putting "privacy" as a proposed "right" before the rights of all consumers to have access to "security" in the products they use, the transactions they make, the information they obtain.

I think this is not just about defining each word clearly when defining your project or selling a solution, but it is also about making sure the frenzy behind "privacy" doesn't put your "security" project at risk, a situation I'm sure many an Enterprise Desktop, Mobile and Email security team has run into.


How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.