Friday, January 27, 2012

What is your definition of security?

Without paraphrasing a tired definition defining security specifically Information Security is not easy. Many definitions of security are out there but if your boss walked up to you what would your definition be? Or would you just copy a definition of security from a security book or the Internet and give it to our boss? Your definition would have to be something you could live and work with.
Part of my frustration to define security comes from the fact we don’t actually control very much in regards to our own security either personally or for our companies. Operating Systems for all major computer platforms we don’t own we lease them, there is no way to test their actual security except to test their outward behavior. We can’t look at the actual code and test it. Instead we rely on media and security professionals to tell us what is and what is not secure. When we move away from our own computers/environment and begin to consider the many digital partners and connections in our life we realize that we have little control of our own security. Does our definition of security take that into consideration of what don’t control? Given all of these different facets what is our definition of security that we want everyone to use to safe guard our families, employers, our government, and ourselves.

1.     The state of being free from danger or threat.
2.     The safety of a state or organization against criminal activity such as terrorism, theft, or espionage: "national security".

Andrew Toy[1]:  Past VP, mobile applications at a major Wall Street investment.
“Security is not a goal but a means to deliver value and manage risk in sustainable ways”.

U.S. Code Title 44 Chapter 35 SubChapter 3 § 3542[2].
The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
(C) availability, which means ensuring timely and reliable access to and use of information.

Bruce Schneier: The Psychology of Security[3].
Security is both a feeling and a reality. And they're not the same.
The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures.

All of the above definitions are correct and within their own context you can’t argue with the definitions.

I agree with Andrew Toy in that security needs to deliver value and manage risk in sustainable ways. Though I don’t want my bank to come up with the idea that “good enough is good enough” in relationship to their bottom line and my financial security. I want enough measures in place to safe guard my money and identity.

I agree with Mr.Schneier that security is based on probability. We all know that bad things happen to good individuals and companies. I just don’t want it to happen to me, my family, or my job.

Of course we all have to agree with our laws and §3542 is very clear-cut. I agree with it but I just can’t relate its definition to my life or a definition of security that really means something to me that I can carry around.

We have little influence in how our security is handled by financial firms. The idea that we can “vote with our feet” is nonsense. The other bank uses the same computers, operating systems and maybe even the same banking software. In fact any firm we deal with only gives us statements like the following “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings[4]”.

So in the end we come back to Mr.Schneier definition of security. It is a crapshoot and we hope it’s the other guy who loses. Not really very ensuring but it is honest.

No comments:

Post a Comment