Security is a concept that most of us intuitively understand but struggle to define. In this post I am going to explore what security is as a concept and how it applies to organisations.
Let's get started by breaking down the dictionary definition:
(Noun) The state of being free from danger or threat. [source]
The first thing of note is that, by definition, a "thing" having security is dependent on the context of that "thing". An armadillo when evaluated in isolation will always have security. An armadillo in armadillo paradise will also have security. However, when we put armadillo paradise above an active volcano, the armadillo immediately loses its security.
Having something immediately lose its security the moment there is any threat is somewhat problematic for use of the word as in reality there are almost always threats (such as the inevitable expansion of the sun consuming the earth).
Fortunately, the dictionary definition of secure is not dependent on context:
(Adjective) Certain to remain safe and unthreatened. [source]
Unfortunately, there are not many scenarios where we can be certain about something - there will always be both known-unknowns and unknown-unknowns. Again it is not useful to automatically be insecure because threats might exist. This definition of secure also doesn't allow for situations where something is threatened but is still safe.
In order to make these words useful to us, we tend to explicitly or implicitly add modifiers to qualify our use. This includes (but is not limited to) qualifying the:
- Danger or threat; an armadillo in armadillo paradise (still located on top of a volcano) is free from the danger of humans but is not free from the danger of incineration.
- Context; an armadillo in a space station is free from the danger of volcanic incineration.
- Time-frame; all armadillos alive today are free from the danger of incineration from the inevitable expansion of the sun.
- Our knowledge; as far as I am aware, armadillos alive today are safe from the threat of an artificial intelligence turning them into paperclips.
- Dependencies; an armadillo returning from space is free from the danger of incineration during re-entry, assuming that the heat shields on their shuttle remain intact.
It is clear that like armadillos, organisations do not exist in isolation. Instead they exist in the imperfect world of reality and humans. No matter the context, there will always be some kind of danger or threat to an organisation.
Organisational security is about protecting the organisation and its members from the threats and dangers that face it. To make security practical we must begin to qualify the threats, contexts, time-frames, dependencies, etc, and in doing so build a much richer understanding of an organisation's security. This process is known as threat modelling, and is a core part of organisational security.
Let's examine how we can qualify the dangers that an organisation may face using the example of shipping organisations and pirates. That is, organisations that operate actual ships 🚢, and modern pirates 🏴☠️ that threaten ships and their crew.
In qualifying threats, we can say that a marketing organisation is free from the threat of pirates, whilst our shipping organisation will need to consider this threat. This will set the scope of the organisation's threat model.
When qualifying context, we can look at where the shipping organisation is operating and where piracy occurs. An organisation that operates between Australia and New Zealand is very unlikely to experience piracy, whereas an organisation that operates in South East Asia would definitely need to consider the threat of piracy. Understanding the context can greatly aid in the further reduction of scope of a threat model (however may come at the cost of not providing security against dangers that are actually present).
For time-frame qualification we can consider the potential damage of rising sea levels on the port infrastructure of shipping companies. In the next 5 years this is unlikely to change significantly, however by 2100 rising sea levels will likely pose dangers to many ports (and the coastal city they are in) around the world. Large time-frames may seem inconsequential, however they are incredibly important when considering long range planning and thus the threat model of a long range plan e.g. Indonesia and its capital.
In qualifying knowledge, all threats to shipping are based on the brief research I conducted for this post. It is quite possible that pirates do operate between Australia and New Zealand but it is not reported to the website I used. This is one of the most crucial pieces of threat modelling, it is very difficult for an organisation to defend against dangers that it simply isn't aware of.
Ships are heavily dependent on the sea-charts, sonar, and the guidance of light houses to avoid dangerous shoals that may otherwise damage and sink the ship. Organisations are dependent on a staggering number of things, from people, other organisations, and technologies. Failures in any of these dependencies may open the organisation to threats.
These examples of qualifying dangers and threads are in no way exhaustive. In a future blog post I will explore what kind of dangers and threats I think about when forming the threat model of an organisation.
Much of what you have just read may seem obvious, and this entirely expected given that most people have an intuitive understanding of security. So where does this leave us?
We've established that security only exists in opposition to threats, it cannot exist in isolation. We've also started to explore some concepts such as threat modelling that can help us qualify dangers and threats. This is however is only the start of the journey.
Over time I hope to continue this series of posts exploring the field of security and what it means to work in it. This will also include looking at frameworks and processes within security as well as knowledge and building blocks that can be used to fill out these models.
Footnote: Why Armadillos and Ships?
You may be wondering, why don't any of my examples include IT security? Whilst IT security may play one of the largest roles in an organisation's threat model, it is not the only form of security that will impact an organisation and general security practitioners should not limit themselves to this scope. If you wish to focus on a small areas and become a specialist (e.g. cryptography, network security, or software vulnerabilities), it is important to realise that you are working as a specialist in the broader security context (and as a generalist, it is important to realise that you will need to rely on specialists in many circumstances).
Cover Image: www.bluecoat.com