Careers & People

11:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Defining Security: The Difference Between Safety & Privacy

Words matter, especially if you are making a case for new security measures, state-of-the-art technology or personnel.

Have you ever had a moment where you were reading something and suddenly doubted your comprehension of a particular word? I had this experience recently, about the meaning of the word "security." As someone whose job title includes security, it was a particularly perplexing moment. At the same time, it cleared up a lot of confusion I’ve had about how security is viewed by its various constituencies.

For most of us, our first introduction to the concept of security is in the physical realm –   perhaps in a contact with security guard or a security checkpoint. The former is like a monitor whose job is to stop dangerous things already happening. The latter is more active – in a search to exclude suspicious or dangerous people or things.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

The more active type of security checks are being used with increasing frequency to improve public safety, but this is leading a lot of people to feel more vulnerable. Computer security tips caution people not to leave our devices in places that are out of our sight or control, and not to give strangers access to our devices because these actions increase risk. It could be argued that when something increases the risk of theft of devices or data, it should not be called security.

These checkpoints and their digital equivalents exist on a spectrum from "easily acceptable to everyone" to "most people find it intrusive" depending on a few different factors that aren’t necessarily intuitive or obvious.

There are a few questions that help clarify where security lies on the intuitive to obvious spectrum:

  • Is the area being secured a private residence or business?
  • If the secured area is public: are you inspecting everyone and everything and removing whatever or whomever could be considered suspicious? Or are you checking a list for specifically dangerous people or items?
  • Are the criteria fairly decided and equally applied? Are there effective methods to correct the list quickly if there are errors or omissions?
  • Are records kept of everyone or everything that entered or exited this area?

Let’s take a bank as an example: People generally consider a bank with strong security a very positive thing. It is a private business, but one that anyone should be able to access to a certain extent. You expect that security measures will be increasingly exclusive the closer to the vault you get. Security measures that happen at the front door should primarily be passive monitoring. Access to areas behind the teller’s desk should be fairly limited. And access to the bank vault itself should be both extremely exclusive and closely monitored.

The more you stick to a blacklist approach – quickly excluding only those items or people that are predetermined to be dangerous, and logging only the positive detections – the less privacy and control are compromised. While this approach risks letting previously unknown, dangerous things or people through, the alternative isn’t exactly foolproof either. And while logging can be used to help keep everyone honest, measures must be taken to keep that information from being used maliciously.

Any time people are asked to forfeit privacy or control, it increases vulnerability. And an increase in vulnerability is a decrease in our personal security. But to achieve perfect security would require us to live in a fortified box that allowed no connection with other people. Because we homo sapiens are social animals, this vulnerability is not always negative, but it is something we should enter into with our eyes wide open.

Time to Define Terms
I would argue that there are two distinct definitions of the word security in the digital sense. There is the definition that is closer in meaning to "safety," defined as protected from danger. And there is the definition that is closer to "privacy," meaning free from being observed. Both definitions imply mitigating risk, but in diametrically opposite and often incompatible ways.

One might think that a language with around 250,000 distinct words would have enough choices that we could have enough specificity to clarify our exact meaning, but advances in technology seem to be forcing us to use existing words in very different ways. This is nothing new, though the pace of this change is accelerating.

I wish I could wave a wand and put everyone on the same page with the way the word security is used. But I realize that this ship has already sailed, and the metaphorical boat is probably rapidly approaching Point Nemo. My more realistic wish is that – especially during contentious discussions – we consider the possibility that someone may be operating with a different definition.

If you have an uphill battle ahead of you to convince someone to adopt security measures, or to allocate budget for security purchases or personnel, it might be useful to clarify what sort of security you intend to provide.

Related Content:


Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2017 | 12:51:40 PM
The Popularity of Privacy Over Security
I credit this confusion some folks have (not just outside the industry but inside, too) between the definitions of these two words to the very successful campaigns of groups like the Free Software Foundation and Electronic Frontier Foundation.  Encouraging encryption, the use of tools like PGP/GnuPG and leveraging the legal genius of folks like Eben Moglen (Software Freedom Law Center) successfully framed a dialog about "privacy" that slowly became part of the popular consciousness, eventually inseparable from our conversation about "security" because the tools to secure both often were the same, or overlapped.  I like these folks, so I'm not saying what they do isn't important but it still contributed to this confusion, IMHO.

Stories about folks like Aaron Swartz (R.I.P.), Ed Snowden and Julian Assange also then became more about the "privacy" discussion than "security" when, in many cases, it really should have started with a discussion about security.  I'm not taking a stance against privacy, or making a comment for or against these folks or organizations like Anonymous.  Rather, I'm pointing to the evolution of how we as consumers of word meaning and media stories got here.  I also see a lot of credit going to the tech legal eagles who have fought hard to blur lines to secure rights to "privacy" for the individual but also (not intentionally, I'm sure) threatening "security" in the process by 1) causing this confusion in meaning and 2) putting "privacy" as a proposed "right" before the rights of all consumers to have access to "security" in the products they use, the transactions they make, the information they obtain.

I think this is not just about defining each word clearly when defining your project or selling a solution, but it is also about making sure the frenzy behind "privacy" doesn't put your "security" project at risk, a situation I'm sure many an Enterprise Desktop, Mobile and Email security team has run into.


Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-19
Insufficient restrictions on what can be done with Apple Events in Google Chrome on macOS prior to 72.0.3626.81 allowed a local attacker to execute JavaScript via Apple Events.
PUBLISHED: 2019-02-19
Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
PUBLISHED: 2019-02-19
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
PUBLISHED: 2019-02-19
Missing URI encoding of untrusted input in DevTools in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform a Dangling Markup Injection attack via a crafted HTML page.
PUBLISHED: 2019-02-19
Incorrect handling of origin taint checking in Canvas in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page.