[clug] [OT] What *is* Security?

Steve McInerney steve at stedee.id.au
Fri Sep 12 16:41:42 GMT 2008 

On Thu, September 11, 2008 08:37, steve jenkin wrote:
> Recently I've been looking for a *formal* definition of 'security'
> and that has led to puzzling over an informal definition.


I've always been fond of:
Can you sleep at night?

ie. Having made "this" decision to do "these" things to secure whatever,
you can sleep happy with the **full** range of consequences of "this"
decision.

Which is equivalent to the 1st definition in the link Daniel sent thru.


Which is an emotional state, and which is exactly why we have all that
security theatre getting onto planes, or into datacentres and the like.
Yes it is theatre. Yes it doesn't really make the facility/plane more or
less secure. But it helps people feel safe flying and hence $$$; or helps
senior management feel that the DC and their servers are safe, and hence
$$$ to the DC owners.


Which is why *we* do Risk Analysis when IMPLEMENTING security. To remove
the emotional baggage via life experience that any given person will bring
to a proposed solution.


So the RA for airport security, is not so much to stop bombs or guns on
planes. It's to make the average person who wants to fly feel safe and
hence still spend their $.
ie something like: No people --> No $ --> No planes --> No Airports.
QED. :-)

ie It's Business Risk Analysis vs Security Risk Analysis. Which is a total
crack statement because they're the same thing, but am trying to assist
with the mental switch/viewpoint.



The other method I've used over the years to explain what security is, is
via analogy:
You have your super-company-seekrits on a server in a geewhizziker locked
rack. Person demonstrates to you a trivial and fast way of opening the
rack and hence gaining physical access to said server.

Question:
Are you MORE or LESS secure than you were before the demo?

Answer?
Neither. You are just as secure as you were before. No more. No less.

You won't SLEEP at night tho.


And then taking the explanation further. This is why you do Risk Analysis.
"Assume the physical security of the rack is insufficient...."
etc etc etc.


Cheers!
- Steve

More information about the linux mailing list