About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Wednesday, January 19, 2011

What is computer security

This morning a friend of mine tweeted about a good definition of security that he ran across.  Read the article for more explanation and details, but the essential definition is that security is:
Security is the process of maintaining an acceptable level of perceived risk.
I really like this definition because it's simple and easy to comprehend, but it also accurately portrays several nuances that are frequently missed in discussions about security by both security people and non-security people.
  1. Security is a process.  Security isn't something that you set up and you're done, it's an ongoing process.  You have to keep aware of current and upcoming threats, new vulnerabilities and new mitigation techniques.  As bugs are found in software, you have to patch them.  As employees come and go, you need to grant and remove their access diligently.  These are just some examples of the process of security.
  2. Acceptable level of risk.  Security (computer or physical) isn't about eliminating risk.  That's impossible.  It's about managing risks to an acceptable level.  Things that need to be considered are how expensive is the security device/policy?  What barriers does it add to normal operations?  How likely is the threat, and what amount of damage can be expected from it?  How much security is worth it?
  3. Percieved risk.  We're not omnicient.  Security people, managers, employees and customers have to make our best judgements about what the risks are, how dangerous they are and how likely they are.  The fact that humans in general are rather poor at estimating risks is why we spend billions on airport security and very little on preventing traffic collisions.  Several books have been written about this issue.
I think a better understanding of what security means would do much to improve security decision-making in general.

1 comment:

  1. I really like your point concerning perceived risk vs actual (statistical) risk and that maintaining an acceptable level of it is an ongoing process.

    ReplyDelete