Being Secure vs Feeling Secure

There is a big difference between “Being Secure” and “Feeling Secure”. Far too often even security professionals (financial, physical, computer, or any other) lean towards “feeling secure” rather than actually “being secure” because “being secure” is very very hard, if not impossible.

Feeling Secure is a feeling in your gut that you’ve done all you can think of and covered every base (that you know about). You have used every little trick you know about, even if you don’t know how or why it works. Sometimes, in the hands of experience, this can be a very good thing as it helps you listen to your subconscious about all the little things you aren’t actively thinking about. However, more often than not, either the necessary experience isn’t there or your subconscious isn’t as active as you may think. Either way, this almost always results in things getting missed. Feeling secure in your finances or home or relationship is no different than feeling your computer is secure…its just a feeling. How much you trust your feelings is up to you. For myself, I rely on my feelings quite a bit.

Being secure means that you can prove the security of the environment/situation. This proof is usually through some form of math, but there are other ways to do it as well. Proof is difficult to obtain and even harder to hold on to. Most of the time the amount of effort involved in proving something isn’t worth it, which is why it isn’t done…

Instead, “proof” is done most of the time in the form of taking someone with experience and skills and having them look-over/attack/break the problem at hand. For example if a bank wants to “prove” that their vault is secure they might hire an external person with experience and skills to try and break into that vault. But in truth, this isn’t proof, this is a good measure of feeling secure…and that’s ok. It is a good thing to take the wisdom of others and listen to them about their area of expertise, but it isn’t proof.

In my opinion, by not recognizing/acknowledging/accepting the difference between the two we’re bluring the lines and causing more problems. Lets use the example of the bank vault. To ascertain the “security” of the vault, the bank hires a professional team that has many years experience with bank vaults, both from the law enforcement side, and reformed (or not so reformed) criminals. They have all the credentials you can think of and check every possible box, we’ll even go as far as saying they have super powers and alien technology to help break into the vault. This is a super team of every imagination. However, the problem is that even with all the possible experience, knowledge, wisdom, skills, and technology that this team has…it still only takes one clever individual to come up with something new and break it all. But wait, I hear you say, lets say that this super team has all the cleverness too, and thinks of ALL POSSIBLE WAYS TO BREAK INTO THE VAULT. And there’s the kicker “all possible ways”, it isn’t defined and therefore cannot be enumerated, and therefore cannot be proved. For every way you can think, someone (if not you) can unthink.

If you look at the history of locks and lock-picking or the history of cryptography you’ll find the same realization come to by many experts…just because you can’t think of how to break it doesn’t mean someone else can’t. This is why you get the saying “Don’t roll your own crypto!” The problem is that most of us are cleaver enough to fool ourselves.

So, did I just prove that “being secure” is impossible? Well I don’t know if I proved it, but it definitely “feels” that way. ;) Here’s the key point: Security isn’t about “Being Secure” its about being secure enough. What is enough? That’s defined by you! You define what is enough security for your home, your finances, your health, your computers. But that’s also the problem, to know how to best defend, you have to know how the bad guys are attacking. There’s no point in making your bank vault acid proof if the bad guys don’t have acid and aren’t using acid. (but they could go get acid, I hear you say…yes, that’s why you need to watch)

And here also lies the problem with “feeling secure”. Lets say you once were attacked by acid, you’re going to use that experience to defend yourself from future acid attacks…even if that’s not necessary. You’re going to always have acid protection in your mind because it once hit you and you don’t want that to happen again. The only way you’re not going to worry about it is if you have some other way to convince yourself that bad guys aren’t using acid. Maybe a law to prevent/restrict the sale of acid, or some kind of acid detector. Either way you’re probably spending resources (time/effort/money) on a defense that isn’t necessary, but so you can feel safe…and that may be just fine, or it may not.

Lets take a moment to define necessary in the realm of security. I’ll define it as the minimum amount of something (rules, layers of concrete, number of zeros after that 1, or whatever you need to defend) required to defend against current and future attacks. What did I say minimum, because we are talking about necessary, a.k.a needful. Also because I included “future” in that definition I just made it impossible to quantify, which means that we’re talking about risks and probabilities (in other words we just changed from solid to fuzzy, or from finite to infinite, or from algebra to statistics). Security is, in many ways, about predicting the future, or at least limiting and/or controlling the possibilities of the future. So is it necessary to defend against acid attacks? Only if there will be future acid attacks, otherwise you’re wasting resources.

So after this dizzying rambling, what are we to conclude? Well nothing really. Security is about predicting the future. Security is about being secure enough. Security is about feeling, but feelings can also be misleading.

The keys to security (albeit financial, physical, computer, or whatever):

1. Know your environment!
2. Know your enemy!

This gets interesting when you take these two concepts and start applying them to different securities.