Security = safety? Sounds risky!

Earlier this week, Dennis Fisher wrote a column for ThreatPost declaring that Snow Leopard security is all relative, which Jon Gruber linked to with a discussion on Daring Fireball, called the difference between security and safety.

I wanted to address both, but realised I was in danger of rambling – so I have decided just to look at Gruber’s post.

One thing which annoys me, and which I addressed in my talk to NSConference in April, is this idea that security means something different in the online world than the real world.

No, it doesn’t.

If we try to claim that words have different meanings when used about computers then all we end up doing is confusing people. Do any of the keys you lock your doors with have a piece you give away freely to other people? No? Then why do we have public keys in asymmetric encryption?

Anyway, in the Daring Fireball post, we see “Security is about technical measures, like the strength of the locks on your doors and windows.”

Those are security measures. Security is being (or feeling) free from threat, both in the real world and online. I saw a definition of security as a state where “things which should happen, do, and things which shouldn’t happen, don’t” and to me that seems like a good meaning. Notice too that it isn’t a technosphere-only definition.

So why has Gruber taken a narrower view?

Maybe he wanted to avoid the “Macs are more secure” canard by giving “the likelihood that you’ll
actually suffer from some sort of attack” another name; safety. So it doesn’t matter whether Macs are more secure or not, says he, they’re more safe and that’s what people are after.

Well, it isn’t; it’s (along with the cost of such an attack) risk. Safety is the state of not suffering or causing harm.

But even ignoring the lexical games, risks are like stock prices – previous performance isn’t always a good indicator of future behaviour. When CISOs write security policies they consider (or at least they should consider) what looks likely to happen – or expensive if it were to happen, or both – in the future. Relying too much on previous personal experiences is a known effect, though. It’s a form of the availability heuristic.

Just as people who’ve never been burgled tend to consider the likelihood of being burgled in the future to be lower than those who have, could it be that the Mac users who’ve never knowingly experienced a malware attack have an artificially low opinion of the future likelihood?

What we really know is that Macs have a lower historical frequency of being targets of malware attacks.

Risks are also like shares in that there are many of them, and they all perform differently.

In fact, going back to the burglaries, many burglars get in through an unlocked window or door – the real-life analogy to having a guessable or empty password.

That’s going to let people in, malware or no malware.