This essay examines the transition of the word ‘security’ from securus (an adjective) to securitas (a noun) during the Roman era. It is Track III of a longer concept album exploring what we mean when we use the word ‘security’ (and what it should mean).

You can find all the essays in the “When We Say Security, What Do We Mean?” concept album here:

A painting of a classical priest praying to a stained glass painting depicting a fancy padlock.

The ancient association of securus with Epicureanism was not to last. Epicurianism was outlawed once the Roman Empire entered its rebellious Christianity phase because, as a philosophy, it’s quite incompatible with the idea that souls must be “saved” and that God is relevant to everyday life (Epicurus literally argued that the gods do not gaf about human affairs and do not punish or reward human behavior).

Why is this relevant to infosec? Because – as a collection of entities across vendors, consultants, thought leaders, and practitioners incentivized to increase influence on the world – information security has sanctified itself as a secular authority who can deem worthiness from on high and reward or punish according to behavior1.

Most security advice roughly goes, “if you’re interacting with a computer and what you’re doing feels convenient, you are actually doing something BAD.” We’re supposed to report when we’ve done something wrong, like a Catholic at confessional. We can gain an “exception” from the security authority like the medieval Catholic Church granting indulgences2 to partially reduce the punishment of the sin.

Naturally, only the ordained can read and interpret the sacred texts. The unwashed masses may only receive the good word. The divine wisdom is so complex, so arcane, far too difficult for anyone else to transform into action. Does this not imply that the non-security “normies” cannot be secure without the blessing of the security establishment? The human “users” must suffer in this life for their sins, for turning away from the path of security3.

In the eyes of the Infosec Church, users are weak sheep who must be told what to do and guided with a strong hand in the ways of natural security law, less they drift wayward into wickedness. We must practice chastity in all manners digital and resist the temptation of clicking on things unless we want the whole network to drown in depravity4.

For the Security Spirit is always watching. It knows when you allow incoming connections from cloud provider IPs even though attackers also use those IPs. It knows when you copy and paste something from Stack Overflow even though it could be backdoored. It knows when you don’t VPN on the hotel WiFi, where anyone, including a big, sexy scary APT could connect to it. Wicked, wicked user! A thousand years smoldering in hellfire and pestilence for your sins! Try clicking things now once the maggots have feasted upon your flesh!

A pair of servers frolicking in a field of flowers.

We will return to security in the context of authority later, but now we must march onward to examine how securus, the adjective, evolved its noun form: securitas. In the Roman period, securitas specifically corresponded to intense emotions. And, it’s worth noting, the freedom from care represented by securitas does not require justification based on reality.

Securitas refers to a group of emotions (the things security and software “rationalists” alike pretend they don’t have) which relate to the absence of fear and include emotions like trust and confidence5. In fact, even the more modern notion of “job security” aligns to this older meaning; it is a feeling, specifically that you don’t have to worry about losing employment. Threats to it aren’t the point, the feeling is the point.

Now, my dear mortals, can we imagine an infosec program designed to ensure the organization is fearless and free from care, an infosec program that is quiet, easy, and composed? Cybersecurity as a discipline would be concerned with ensuring the organization could remain cheerful, tranquil, and serene. Servers would frolick in a field like fecund fawns. Software engineers would release code with confidence, trusting the safety designed into their languages, tools, platforms, and environments. If employees felt fear, uncertainty, or doubt when using technical systems, the security program would be curious and design solutions to alleviate their concerns.

Imagine an infosec program with the goal of relieving the rest of the organization from anxiety about security… cybersecurity that promotes convenience and puts in the hard work of crafting design-based mitigations. Status quo infosec – manifesting as SecObs, Security Theatre, etc. – seeks quite the opposite! Traditional cybersecurity programs openly admit aiming to increase anxiety among the rest of the organization to ensure they are vigilant to threats and always looking over their proverbial shoulders for potential peril. The security people decry convenience and shame users for seeking it while simultaneously indulging in it like Scrooge McDuck in his pool of gold by relying on enforcement, behavioral control, and blame as cheap “mitigations.”

I often read security advice or policies or other prescriptions and have the sense that the authors are trying very hard to pretend that local context is irrelevant and that generalized control is possible. Convenience is often framed as the enemy. The question is: convenience for whom?

Sure, convenience is clicking on every link or adding a third-party library without a second thought. But convenience is also requiring a security tool that you will never have to use, without performing any user research with the humans who will use it in their workflows. Convenience is tapping the 10^10 Security Commandments when someone makes a mistake and blaming them in front of Congress. Are we shocked that a framework of “convenience for me, but not for thee” doesn’t seem to produce the bundle of positive emotions securitas represented?

Are there words less associated with cybersecurity than “cheerful,” “bright,” “serene, “composed,” “quiet,” or “easy”?6 The whole business seems antithetical to those traits. Traditional infosec is all cura and no se – better deemed “cybercurity” than cyber_se_curity: a discipline of increasing concern, thought, trouble, anxiety, and grief in the organization regarding “cyber” matters. Offensive security is especially nonsensical through this etymological lens because it then means “offensive tranquility.”

Or maybe it isn’t that crazy. After all, don’t overpriced healing crystals and infosec wares have quite a bit in common?

Continue with Track IV: The Multifaceted Meaning of “Security” in the Roman Era (Securitas) .

Conclusion

You can find all the essays in the “When We Say Security, What Do We Mean?” concept album here:

The cover art for the album with the title: What do we mean when we say security? It depicts an island floating in a sky filled with rainbow and pastel clouds in shades of periwinkle and violet. The island itself is a paradise, a blend of fantasy and cyberpunk aesthetics. Lush trees blanket its ledges while waterfalls cascade from each ledge, frozen in time and resembling a beautiful digital glitch. It is meant to reflect the utopia we might achieve with our systems – our own islands – if we embraced the original meanings of the word security.

  1. In return, these stringent practices reinforce the status quo and uphold organizational power structures, which suits leadership just fine (and, besides, how would we expect them to know how security programs could look outside of the infosec status quo?). ↩︎

  2. You watch the church leaders exchange influence for money, but instead of imparting the power of the Holy Spirit it’s your unfortunately unscrupulous CISO pushing some dogshit into your stack because their buddy invested in the startup and they do this back and forth and then blame the engineers or users who don’t want to interact with the dogshit for why everything is failing because nothing is your fault when you have the authority of something sacred, whether the Holy Spirit or the Security Spirit. ↩︎

  3. I do find it interesting that when CISOs do not disclose a breach, instead laundering it through a bug bounty program, that is being “strategic” and showing security leadership, but when a software engineering team doesn’t fix a security bug immediately – no matter how contrived the exploit scenario – then they lack integrity. ↩︎

  4. Perhaps we should be grateful there aren’t LinkedIn posts like “here’s the best way to run your sin response team #securitas #ciso #inquisition #SinSecOps. ↩︎

  5. Wonderly, M. (2019). On the Affect of Security. philosophical topics, 47(2), 165-182. ↩︎

  6. Intriguingly – and rather self-servingly, although I did not expect it to be so when delving into this thought exercise – the original meanings of securus and securitas align nicely with the goals of Security Chaos Engineering (SCE). Composure is something for which SCE strives through the practice of repeated experimentation. SCE wants security to be quiet, it seeks to foster organizational confidence, to grant organizations the freedom to not fret about potential incidents because they feel so well-practiced through experimentation, strong feedback loops, and resilient design that they feel fearless about the inevitable. In fact, we explicitly encourage defenders to have fun with SCE experiments, getting infosec closer to that original connotation that security involves a feeling of being cheerful and bright↩︎