What is security?

The theoretical answer to that question is quite complex but involves a definition like this: “Protecting the confidentiality, integrity and availability of information”. This is a nice definition that ends up conveying a significant amount of information without meaning much at all. 

I am a pragmatist: I need to model and to measure to understand something. Unfortunately when it comes to security this is non-trivial.

Why do we need to model or measure security? I believe you need that to be able to understand not only what you have, but also what you don’t have and what you need to do to improve. The problem with that is how do you define and measure some arbitrary security mechanism or risk?

I know there are a few people that will immediately present me with complex math and processes on how to do that and I would recommend reading those if you suffer from insomnia. The question is actually: How do you define and measure some arbitrary security mechanism or risk in a way that is simple, consistent and sensible?

Security is a combination of tools, policies and behaviors. Any organization needs to use a combination of these techniques to build a secure environment. Tools generally refer to software or hardware that can be used to implement or enforce policies. These can be third party tools or can be built into the operating system. Policies specify expected behavior of both the computing resources and the people using them. Behavior specifies the intent and level of understanding of the people implementing the policies and using the computing resources.

Let us assume the world is a simple place and we can actually give a score to security techniques. Let us further assume we are talking about a small organization that is evaluating their security. They currently have a single point of entry/exit to the Internet that is protected by a firewall. They have no policies and no user education in place. Let us assign them an arbitrary score of 10 for their security level. They have a choice: Invest in desktop encryption software or a network intrusion detection application. How much will either of those affect their security score? Both these technologies are valid security applications which given the correct environment can make for valid additions to a security score. But given the lack of even the most basic security precautions in that organization neither of these technologies will materially affect the security score of the organization. If you don’t have basic security covered then advanced features like those mentioned will not help you as they can be evaded by much simpler attacks that will be prevented by basic security policies and/or applications.

This implies that your security score not only depends on the tools and techniques being considered but also on the tools and techniques already in place. It also depends on the value of the information you are trying to protect. Spending millions to protect something worth a few dollars is not sensible. Spending a few dollars to protect something worth millions is not responsible.

This contrived example just illustrates the impossibility of having a simple measure of security. There is no score that will provide you with assurance that you have good or bad security. There is also no consistent and sensible way to measure security or the lack of it.

This is probably the biggest problem with security. Traditionally most people consider security and usability to be mutually exclusive. The reason people consider it mutually exclusive is because people have a hard time understanding the value proposition of security. For the end user it is hard to equate that extra long password or that slightly slower computer or even the ability to visit a certain web site with a measurable advantage.

Some vendors have used a fear strategy to try and provide a measurable advantage: If you don’t have their tool to enforce their policy then bad things will happen. Sometimes there is truth in this message, but even then it does not instill a sense of value, just a sense of fear.

Some criminals have even used this lack of clarity, simplicity and consistency to their advantage. They have used the fear strategy to convince people to download and install malware in the guise of security applications on their systems. This fake security application will then find non-existent malware on their systems. To get rid of this newly discovered and non-existent malware the user then has to pay the malware author to remove the fictional malware from their system.

The scary part of that story is that people fall for it. Many people install this malware willingly thinking that they are improving their security. Some even pay these criminals thinking that it will improve their security. This type of malware is extremely widespread and there is a chance that you actually know somebody that may have been infected with it. Some even multiple times.

Does that prove that people are suckers for punishment? I don’t think so. I think it just enforces the theme of this blog entry: Security is not easy to understand, value or measure and that makes security less effective than it needs to be.