Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Defining Security: The Difference Between Safety & Privacy

Words matter, especially if you are making a case for new security measures, state-of-the-art technology or personnel.

Have you ever had a moment where you were reading something and suddenly doubted your comprehension of a particular word? I had this experience recently, about the meaning of the word "security." As someone whose job title includes security, it was a particularly perplexing moment. At the same time, it cleared up a lot of confusion I’ve had about how security is viewed by its various constituencies.

For most of us, our first introduction to the concept of security is in the physical realm –   perhaps in a contact with security guard or a security checkpoint. The former is like a monitor whose job is to stop dangerous things already happening. The latter is more active – in a search to exclude suspicious or dangerous people or things.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

The more active type of security checks are being used with increasing frequency to improve public safety, but this is leading a lot of people to feel more vulnerable. Computer security tips caution people not to leave our devices in places that are out of our sight or control, and not to give strangers access to our devices because these actions increase risk. It could be argued that when something increases the risk of theft of devices or data, it should not be called security.

These checkpoints and their digital equivalents exist on a spectrum from "easily acceptable to everyone" to "most people find it intrusive" depending on a few different factors that aren’t necessarily intuitive or obvious.

There are a few questions that help clarify where security lies on the intuitive to obvious spectrum:

  • Is the area being secured a private residence or business?
  • If the secured area is public: are you inspecting everyone and everything and removing whatever or whomever could be considered suspicious? Or are you checking a list for specifically dangerous people or items?
  • Are the criteria fairly decided and equally applied? Are there effective methods to correct the list quickly if there are errors or omissions?
  • Are records kept of everyone or everything that entered or exited this area?

Let’s take a bank as an example: People generally consider a bank with strong security a very positive thing. It is a private business, but one that anyone should be able to access to a certain extent. You expect that security measures will be increasingly exclusive the closer to the vault you get. Security measures that happen at the front door should primarily be passive monitoring. Access to areas behind the teller’s desk should be fairly limited. And access to the bank vault itself should be both extremely exclusive and closely monitored.

The more you stick to a blacklist approach – quickly excluding only those items or people that are predetermined to be dangerous, and logging only the positive detections – the less privacy and control are compromised. While this approach risks letting previously unknown, dangerous things or people through, the alternative isn’t exactly foolproof either. And while logging can be used to help keep everyone honest, measures must be taken to keep that information from being used maliciously.

Any time people are asked to forfeit privacy or control, it increases vulnerability. And an increase in vulnerability is a decrease in our personal security. But to achieve perfect security would require us to live in a fortified box that allowed no connection with other people. Because we homo sapiens are social animals, this vulnerability is not always negative, but it is something we should enter into with our eyes wide open.

Time to Define Terms
I would argue that there are two distinct definitions of the word security in the digital sense. There is the definition that is closer in meaning to "safety," defined as protected from danger. And there is the definition that is closer to "privacy," meaning free from being observed. Both definitions imply mitigating risk, but in diametrically opposite and often incompatible ways.

One might think that a language with around 250,000 distinct words would have enough choices that we could have enough specificity to clarify our exact meaning, but advances in technology seem to be forcing us to use existing words in very different ways. This is nothing new, though the pace of this change is accelerating.

I wish I could wave a wand and put everyone on the same page with the way the word security is used. But I realize that this ship has already sailed, and the metaphorical boat is probably rapidly approaching Point Nemo. My more realistic wish is that – especially during contentious discussions – we consider the possibility that someone may be operating with a different definition.

If you have an uphill battle ahead of you to convince someone to adopt security measures, or to allocate budget for security purchases or personnel, it might be useful to clarify what sort of security you intend to provide.

Related Content:


Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2017 | 12:51:40 PM
The Popularity of Privacy Over Security
I credit this confusion some folks have (not just outside the industry but inside, too) between the definitions of these two words to the very successful campaigns of groups like the Free Software Foundation and Electronic Frontier Foundation.  Encouraging encryption, the use of tools like PGP/GnuPG and leveraging the legal genius of folks like Eben Moglen (Software Freedom Law Center) successfully framed a dialog about "privacy" that slowly became part of the popular consciousness, eventually inseparable from our conversation about "security" because the tools to secure both often were the same, or overlapped.  I like these folks, so I'm not saying what they do isn't important but it still contributed to this confusion, IMHO.

Stories about folks like Aaron Swartz (R.I.P.), Ed Snowden and Julian Assange also then became more about the "privacy" discussion than "security" when, in many cases, it really should have started with a discussion about security.  I'm not taking a stance against privacy, or making a comment for or against these folks or organizations like Anonymous.  Rather, I'm pointing to the evolution of how we as consumers of word meaning and media stories got here.  I also see a lot of credit going to the tech legal eagles who have fought hard to blur lines to secure rights to "privacy" for the individual but also (not intentionally, I'm sure) threatening "security" in the process by 1) causing this confusion in meaning and 2) putting "privacy" as a proposed "right" before the rights of all consumers to have access to "security" in the products they use, the transactions they make, the information they obtain.

I think this is not just about defining each word clearly when defining your project or selling a solution, but it is also about making sure the frenzy behind "privacy" doesn't put your "security" project at risk, a situation I'm sure many an Enterprise Desktop, Mobile and Email security team has run into.


Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).