Security Summarized

Security, by its design, is keeping specific assets safe by preventing actions from happening that would adversely affect those assets.

To that end, every secure thing has to have the following questions answered:

  1. Who or what, exactly, is the asset being protected?
  2. Who or what, approximately, could damage or destroy #1?
  3. How would #2 happen?
  4. What or how can #3 be stopped?

We simply don’t know the sources of what would harm our assets (#2) without experience or education, but it’s easy to imagine we do:

  • It’s impossible to know about risks you couldn’t have been exposed to, but it’s easy to imagine our fears in that direction.
  • Risk management has many domains, and confidence in one specialization can lead to presuming aptitude in other domains.
  • If we have particularly strong trust issues, we may not believe that others could be more specialized in managing those risks than we can do ourselves.

In practice, knowing how things could be infiltrated (#3) is not conducive to mental wellness or a meaningful life beyond a certain point:

  • 1-10% of society provides any legitimate risks to assets, and the rest of the people would never even think of doing anything adverse to it.
  • Dwelling on security risks beyond necessity almost guarantees you’ll transfer an appropriately heavy-handed approach to a minority of people toward everyone else.

The domains of security break apart into many other subdomains:

  • Law enforcement protects against the violation of a nation’s rules.
  • Private security protects against their clients or their possessions.
  • Cybersecurity is the protection of adverse events involving computers, which can range from encryption to group policies.
  • Personal security involves protecting yourself and your possessions.
  • Locks and their mechanisms protect against breaches of physical things.
  • Most domains of risk management are specialized towards at least some aspect of the philosophies driving a security mindset.

The principle of deterrence is to provide enough risks against bad actors (e.g., automatically notifies the police) that they would reconsider acting.

  • Anyone sufficiently motivated and sufficiently skilled, however, can still steal or destroy anything they want.
  • The objective, therefore, is not to be completely secure, since that can’t happen.

Instead, there are two large-scale objectives for any secure system:

  1. Motivate the bad actor to perform action against a neighboring victim (e.g., a chain-link fence versus the neighbor having no fence).
  2. Minimize the scope of possible destruction or theft from the bad actor (e.g., a different locked door for each room).

In particular, events that are both incredibly devastating and extremely unlikely are important to consider, but most people don’t think about it:

  • We can often be so preoccupied with a project’s status and deadlines that we forget about what happens if we do succeed.
    • In many domains, the “ready, fire, aim” approach will be the most likely to get to market, and therefore succeed against competitors.
  • Unless you’re in a high-risk area, security systems cost money immediately, but it rarely provides any short-term benefit, especially against competitors.
    • The only way to allow security to work as part of the organization’s mission (rather than against it) is to have safety or security as part of its core values or marketing.

It’s difficult to gauge the effectiveness of a security system, for several reasons:

  1. If it’s obvious that they exist, their very existence may deter bad actors.
  2. Their system will only be proven effective when the risk is too great to take the chance. This can be offset partially by intentionally hiring bad actors to attempt an infiltration (e.g., Pentesters), but that’s only dependent on the intelligence and skill of those infiltrators.

General Principles

Record absolutely everything, and keep several copies safety stored away from public access.

Understand the domains you wish to keep safe, and delegate anything you don’t understand to an expert.

Absolutely every piece of tangible information can present a security risk.

  • Knowledge of small details (e.g., favorite sports team, hometown) can lead to further information (known associates in a photo, medical records).

Always communicate the presence of a security system.

Only communicate the threat of the security system, but not its specifics.

  • Knowledge of a particular system can lead to knowledge of that system’s procedures.

Personal Security

Besides keeping yourself safe, personal security arrangements also have the side effect of more effective legal protections as well.

Avoid public intoxication or inebriation.

Have security-enforcing items before you need to use it.

  • Use a low-profile money belt or anti-theft bag.
    • Never carry large sums of cash on your person, and never all at once.
  • Place interested parties in an emergency on speed-dial.
  • Wear bio-monitors that send automatic updates to interested parties.
  • Consider investing in a body camera and dash cam for your automotive.
  • Get at least a few more locks than you technically need.
    • Test every lock or safe before using it.
  • If you’re particularly high-profile, consider getting body armor under your shirt.

Beyond the equipment, most personal security comes from practicing healthy habits.

  • Before traveling around a city, note the comparative crime statistics relative to other parts of that region.
    • Crime statistics are effectively worthless large-scale (since they only determine crimes recorded and not the actual number of crimes), but law enforcement have similar mindsets to fishermen: go where the likely events will happen.
  • When entering a new room, do a quick sweep of all potential risks.
    • Note all entry and exit points.
    • Consider anything that could be used to incite violent action (e.g., flammable objects).
  • When in a domicile, stay prepared.
    • Make sure the locks and peephole work properly.
    • Don’t let strangers into your place, even if they state they have official permission.

If you’re seriously committed, learn a working knowledge of an unarmed martial art.