Security is the process of maintaining an acceptable level of perceived risk.I really like this definition because it's simple and easy to comprehend, but it also accurately portrays several nuances that are frequently missed in discussions about security by both security people and non-security people.
- Security is a process. Security isn't something that you set up and you're done, it's an ongoing process. You have to keep aware of current and upcoming threats, new vulnerabilities and new mitigation techniques. As bugs are found in software, you have to patch them. As employees come and go, you need to grant and remove their access diligently. These are just some examples of the process of security.
- Acceptable level of risk. Security (computer or physical) isn't about eliminating risk. That's impossible. It's about managing risks to an acceptable level. Things that need to be considered are how expensive is the security device/policy? What barriers does it add to normal operations? How likely is the threat, and what amount of damage can be expected from it? How much security is worth it?
- Percieved risk. We're not omnicient. Security people, managers, employees and customers have to make our best judgements about what the risks are, how dangerous they are and how likely they are. The fact that humans in general are rather poor at estimating risks is why we spend billions on airport security and very little on preventing traffic collisions. Several books have been written about this issue.