Without
paraphrasing a tired definition defining security specifically Information
Security is not easy. Many definitions of security are out there but if your
boss walked up to you what would your definition be? Or would you just copy a
definition of security from a security book or the Internet and give it to our
boss? Your definition would have to be something you could live and work with.
Part of my frustration
to define security comes from the fact we don’t actually control very much in
regards to our own security either personally or for our companies. Operating
Systems for all major computer platforms we don’t own we lease them, there is no
way to test their actual security except to test their outward behavior. We
can’t look at the actual code and test it. Instead we rely on media and
security professionals to tell us what is and what is not secure. When we move
away from our own computers/environment and begin to consider the many digital
partners and connections in our life we realize that we have little control of
our own security. Does our definition of security take that into consideration
of what don’t control? Given all of these different facets what is our
definition of security that we want everyone to use to safe guard our families,
employers, our government, and ourselves.
Internet
1.
The state of being free from danger or threat.
2.
The safety of a state or organization against criminal activity
such as terrorism, theft, or espionage: "national security".
Andrew Toy[1]: Past VP, mobile applications at a major Wall
Street investment.
“Security is not a goal but a means to deliver value and manage
risk in sustainable ways”.
U.S. Code Title 44 Chapter
35 SubChapter 3 § 3542[2].
The term
“information security” means protecting information and information systems
from unauthorized access, use, disclosure, disruption, modification, or
destruction in order to provide—
(A)
integrity, which means guarding against improper information modification or
destruction, and includes ensuring information nonrepudiation and authenticity;
(B)
confidentiality, which means preserving authorized restrictions on access and
disclosure, including means for protecting personal privacy and proprietary
information; and
(C) availability,
which means ensuring timely and reliable access to and use of information.
Bruce
Schneier: The Psychology of Security[3].
Security
is both a feeling and a reality. And they're not the same.
The
reality of security is mathematical, based on the probability of different
risks and the effectiveness of different countermeasures.
All of the
above definitions are correct and within their own context you can’t argue with
the definitions.
I agree with
Andrew Toy in that security needs to deliver value and manage risk in
sustainable ways. Though I don’t want my bank to come up with the idea that
“good enough is good enough” in relationship to their bottom line and my
financial security. I want enough measures in place to safe guard my money and
identity.
I agree with
Mr.Schneier that security is based on probability. We all know that bad things
happen to good individuals and companies. I just don’t want it to happen to me,
my family, or my job.
Of course we
all have to agree with our laws and §3542 is very clear-cut. I agree with it
but I just can’t relate its definition to my life or a definition of security
that really means something to me that I can carry around.
We have little
influence in how our security is handled by financial firms. The idea that we
can “vote with our feet” is nonsense. The other bank uses the same computers,
operating systems and maybe even the same banking software. In fact any firm we
deal with only gives us statements like the following “To protect your personal
information from unauthorized access and use, we use security measures that
comply with federal law. These measures include computer safeguards and secured
files and buildings[4]”.
So in the end
we come back to Mr.Schneier definition of security. It is a crapshoot and we
hope it’s the other guy who loses. Not really very ensuring but it is honest.
No comments:
Post a Comment