This essay concludes our etymological journey of the word “security,” examining the meaning of security in the information society then summarizing what we’ve discovered on our semantic safari. It is Track VI of a longer concept album exploring what we mean when we use the word ‘security’ (and what it should mean).

You can find all the essays in the “When We Say Security, What Do We Mean?” concept album here:

The Meaning of “Security” in the Information Society

A marble goddess sits on a gilded throne in pastel clouds. She is cleansing a laptop which is beaming with iridescent light.

We end our journey in the modern era, the information society1. The best way to summarize the concept of security in modern times is that it’s controversial af and dependent on context2. But, Wolfers’ two-part definition of “security” from 1962 is widely cited3:

  1. In an objective sense, security measures the absence of threats to acquired values
  2. In a subjective sense, security reflects the absence of fear that such values will be attacked

The term “values”, here, of course, is ambiguous and open-ended. But let’s think about what this means for the cybersecurity context.

A realist would say security is achieved when “the dangers posed by manifold threats, challenges, vulnerabilities and risks” in the digital realm are “avoided, prevented, managed, coped with, mitigated and adapted to” by individuals, groups, or organizations4.

A social constructivist would say security is achieved “once the perception and fears of security ‘threats’, ‘challenges’, ‘vulnerabilities’ and ‘risks’ are allayed and overcome.” That is, objective security is not enough; the subjective will always wield considerable influence in the cybersecurity context.

In my experience, tech bros really do not like the idea that emotions or subjectivity come into play in tech stuff at all. They tend to describe their emotions as “logic” and subjective experience as “facts.” We don’t have enough time to unpack all of that in this post (and if only more of them would go to therapy). But it’s a very real problem when traditional cybersecurity folk wisdom was often woven by people who think the objective is all that matters.

What’s worse about the cybersecurity status quo is that the subjective is dismissed but the objective isn’t even really measured. Again, objective security measures the absence of threats to acquired values. We do not have objective security in traditional infosec and, by that definition, it’s not even really what’s being pursued. Even when fleshing out the realist interpretation of objective security, traditional infosec mostly focuses on the “avoided” or “prevented” part rather than the managed, coped with, adapted to part5.

From the perspective of modern scholars, security is meant to lead to more goal-oriented behavior while insecurity leads to threat-oriented behavior. As anyone who’s walked the RSAC vendor hall knows all too well, basically everything in cybersecurity today is about THREATS. Everything is a potential THREAT: your API, your CI/CD pipelines, your laptop, your phone, your fridge, your colleagues, your loved ones, even your own BRAIN is a THREAT because what if you make a MISTAKE and become the very INSIDER THREAT you swore to destroy!?!?!

Everything about the infosec status quo today reflects threat-oriented behavior, therefore implying insecurity rather than security. Traditional infosec isn’t about preserving and upholding values – like prosperity or productivity or an inclusive work environment. Traditional infosec is about preventing and avoiding threats, aiming for the impossible standard of attacks never successfully happening.

The cybersecurity status quo forgets the whole point of stopping the threats is to preserve certain values.

This fetishization of threats and elimination of them as an aim in itself is how we end up with infosec programs which cause so much grief and anxiety and friction for everyone else in the organization. If the infosec industry actually focused on preservation of values, then UX would probably be one of the most important skills in the discipline (but how would incumbent cybersecurity vendors milk that for cash?).

After all, what’s the point of protecting the cherished organizational value of productivity from potential attacks – which likely only happen sometimes rather than continuously, from an impact perspective – if you’re going to erode that value daily through security policies that seem divorced from real goals, constraints, and workflows?

What’s the point in protecting the organization against a potential financial loss due to attack when you’re not only spending its money on security (which could be spent elsewhere), but also slowing down its ability to grow revenue due to security procedures? For an organization with $100 million in revenue wanting to gain market share, shipping 20% fewer features per year due to friction created by the security program has more material impact short, medium, and long term than a ransomware operator demanding $1 million, $5 million, or even $10 million.

Waldron’s quite recent definition of the word security summarizes this all nicely and is worth repeating here:

“… security now comprises protection against harm to one’s basic mode of life and economic values, as well as reasonable protection against fear and terror, and the presence of a positive assurance that these values will continue to be maintained in the future.”6

Cybersecurity as it stands today flunks this definition. It is impossible to provide assurance that basic and economic values will be maintained in the future if you do not know what they are, which the infosec status quo does not know because they do not care because all of that is irrelevant to their noble need to sacrifice everyone’s time, energy, and money at the altar of the FUD gods to gain more budget, more headcount, more influence and they shroud this ritual in a lab coat of “rational” paranoia.

Before architecting a security program or allocating cybersecurity budget, we should understand the organization’s basic mode of life and economic values, including at the level of any teams who will be especially subject to security procedures (like software engineers). From there, we should aim to provide reasonable protection against fear and terror – that is, to provide subjective security, that ancient-school version of securitas which meant freedom from anxiety, fear, or care.

Our job as defenders should be to reduce the complexity of the security problem to such an extent that the rest of the organization is free from care about it (in fact, the systems theorist Niklas Luhmann argued that security efforts explicitly aim to reduce the complexity of the world7). And cybersecurity’s job should be to provide positive assurance that the organization’s values (like prosperity, productivity, inclusion, whatever) can be maintained going forward.

But all of the above requires user research and empathy and curiosity about things beyond infosec’s viewing frustum. This modern definition of security means the organization must treat security as an interactive discipline, not a prescriptive one. The existence of a security program cannot be justified with “there is a risk here and it will never go away,”8 multiplied across all identified “risks,” which thereby implies a security organization that can only grow in scope and authority.

If those who provide security are the rulers and the users the ruled, what security really requires is the rulers respecting the ruled and the rulers earning the respect of the ruled rather than extracting it. This reflects a radical departure from traditional infosec and thus there is and will be resistance from the entrenched9.

Security, in practice, is supposed to reside at the beneficial balance between two evils: absolute fear and absolute security – and absolute security, per Kant, can only be found at the cemetery.10

Summarizing what we mean when we say “security”

A magical cat curled upon a planet, protecting it.

Security is now one of those big words like justice and freedom and liberty which serve more as symbols with fuzzy flavors of feeling – that is, as concepts – rather than as words with straightforward definitions. As we’ve seen, asking the titular question, “When We Say Security, What Do We Mean?” is an exploratory exercise rather than an excavation. There is no ground truth we shall hit with enough sweat and shoveling.

We traversed a tapestry of meanings throughout this concept album. We finish it with a rough sense of, like, “Security is about preserving chill vibes in the presence of threats to those vibes.”

But more usefully (yet less concretely), we have a better mouthfeel for what “security” means. The threats aren’t the point; the poignant part is the potential absence of a valuable good or state of being which we very much wish to preserve.

An absence of threats is only worthwhile if it guarantees the presence of serenity and prosperity. In the word “security” is also a promise – that you hold onto something of value and that this value might grow in the future.

Perhaps most of all, this semantic journey of ours today reveals how wayward traditional cybersecurity is from these notions; it resembles a nemesis of the security concept rather than its descendent. I hope you join me on the quest to finally realize the full potential of the security concept, to grow peaches rather than lemons11, to build a sweeter future for ourselves and all the other stakeholders in this strange system we call society.

The cover art for the album with the title: What do we mean when we say security? It depicts an island floating in a sky filled with rainbow and pastel clouds in shades of periwinkle and violet. The island itself is a paradise, a blend of fantasy and cyberpunk aesthetics. Lush trees blanket its ledges while waterfalls cascade from each ledge, frozen in time and resembling a beautiful digital glitch. It is meant to reflect the utopia we might achieve with our systems – our own islands – if we embraced the original meanings of the word security.

Conclusion

You can find all the essays in the “When We Say Security, What Do We Mean?” concept album here:

  1. It also brings us to one of my favorite book quotes: “In the information society, nobody thinks. We expected to banish paper, but we actually banished thought.” (said by Ian Malcolm in Jurassic Park by Michael Crichton). ↩︎

  2. “Security is ambiguous and elastic in its meaning.” – Art, 1993 ↩︎

  3. Wolfers, A. (1962). Discord and collaboration: essays on international politics. Baltimore: Johns Hopkins Press. ↩︎

  4. Brauch, H. G. (2011). Concepts of security threats, challenges, vulnerabilities and risks. In Coping with global environmental change, disasters and security (pp. 61-106). Springer, Berlin, Heidelberg. https://link.springer.com/content/pdf/10.1007/978-3-642-17776-7_2.pdf ↩︎

  5. Yet again, this is a dynamic Security Chaos Engineering (SCE) is seeking to change. ↩︎

  6. Waldron, J. (2006). Safety and security. Neb. L. Rev., 85, 454. ↩︎

  7. Luhmann, N. (2018). Trust and power. John Wiley & Sons. ↩︎

  8. I have much, much more to say on this topic (inspired by this paper: Power, M. (2009). The risk management of nothing. Accounting, organizations and society, 34(6-7), 849-855.) ↩︎

  9. Surprise, surprise, Security Chaos Engineering (SCE) is aligned with the vibe of earning respect. ↩︎

  10. Arenas, J. F. M. (2008). From Homer to Hobbes and Beyond—Aspects of ’security’ in the European Tradition. In Globalization and environmental challenges (pp. 263-277). Springer, Berlin, Heidelberg. ↩︎

  11. Shortridge, Kelly (2022). From Lemons to Peaches: Improving Security ROI through Security Chaos Engineering. IEEE SecDev 2022, forthcoming↩︎