# Security summarized Security, by its design, is keeping specific assets [safe](safety.md) by preventing actions from happening that would adversely affect those assets. ## Defining "secure" This isn't always that clear. The military, for example, has 4 definitions for "secure", based on the risks they interpret: 1. Capture something (Marines) 2. Guard something (Army) 3. Lock it to prevent intruders (Navy) 4. Purchase it to have a tactical advantage (Air Force) To that end, every secure thing has to have the following questions answered: 1. *Who or what*, exactly, is the asset being protected? 2. *Who or what*, approximately, could damage or destroy #1? 3. *How* would #2 happen? 4. *What or how* can #3 be stopped? We simply don't know the sources of what would harm our assets (#2) without [experience](understanding.md) or [education](education.md), but it's easy to [imagine](imagination.md) we do: - It's impossible to know about risks you couldn't have been exposed to, but it's easy to imagine our [fears](mind-feelings-fear.md) in that direction. - [Risk management has many domains](safety-riskmgmt.md), and confidence in one [specialization](jobs-specialization.md) can lead to presuming aptitude in other domains. - If we have particularly strong [trust issues](trust.md), we may not believe that others could be more specialized in managing those risks than we can do ourselves. In practice, knowing how things could be infiltrated (#3) is *not* conducive to [mental wellness](mind-feelings-happiness-focus.md) or [a meaningful life](goodlife.md) beyond a certain point: - 1-10% of society provides any legitimate risks to assets, and the rest of the people would never even *think* of doing anything adverse to it. - Dwelling on security risks beyond necessity almost guarantees you'll transfer an appropriately heavy-handed approach to a minority of people toward everyone else. ## Relative security Generally, people are more willing to take risks when they are cornered or at risk of losing assets. - While their circumstance will typically make them more reckless, they'll often [retell the story](stories-storytellers.md) as an experience of triumphant willpower instead of pure desperation. - For many reasons, [privacy](safety-security-privacy.md) is typically a worthwhile sacrifice for the benefit of safety in most other domains. A strong security force, therefore, is exposed to risks on a regular basis. - This can be legitimate (e.g., battle experience) or simulated (e.g., intentional bad actors). - Without this, almost everyone will act on pure animal instinct (i.e., self-preservation) and will abandon their role. ## Security specializations The domains of security break apart into many other subdomains: - [Law enforcement](legal-safety.md) protects against the violation of a nation's [rules](people-rules.md). - Private security protects against their [clients](people-contracts.md) or their possessions. - [Cybersecurity](computers-cysec.md) is the protection of adverse events involving [computers](computers.md), which can range from [encryption](encryption.md) to [group policies](computers-cysec-compliance.md). - Personal security involves protecting yourself and your possessions. - Locks and their mechanisms protect against breaches of physical things. - Most domains of [risk management](safety-riskmgmt.md) are [specialized](jobs-specialization.md) towards at least *some* aspect of the philosophies driving a security mindset. ## Deterrence Any security system, of any type, can't 100% stop things. The principle of deterrence is to provide enough risks against bad actors (e.g., automatically notifies the police) that they would reconsider acting. - A sufficiently [motivated](purpose.md), [creative](mind-creativity.md), and [talented](humanity.md) person can break through anything made by another person. - The objective, therefore, is not to be *completely* secure, since that can't happen. Instead, there are two large-scale objectives for any secure system: 1. Motivate the bad actor to perform action against a neighboring victim (e.g., a chain-link fence versus the neighbor having no fence). 2. Minimize the scope of possible destruction or theft from the bad actor (e.g., a different locked door for each room). Thus, the *actual* purpose of a security system (and a benevolent [legal system](people-boundaries-why.md)) is to make the intruders [work](results.md) harder than the reward by requiring them to spend more [power](power.md) to get it than it appears to be worth. APPLICATION: Nobody will outright admit it, but defenders are often trying to direct the attackers' efforts to the defender's neighbors. In particular, events that are both incredibly devastating and extremely unlikely are important to consider, but most people don't think about it: - We can often be so preoccupied with [a project's status and deadlines](mgmt-4_status.md) that we forget about what happens if we *do* succeed. - In many domains, the "ready, fire, aim" approach will be the most likely to get to market, and therefore [succeed against competitors](entrepreneur-3_plan.md). - Unless you're in a high-risk area, security systems cost money immediately, but it rarely provides any short-term benefit, especially against competitors. - The only way to allow security to work as part of the organization's mission (rather than against it) is to have safety or security as part of its [core values](mgmt-6_morale.md) or [marketing](marketing.md). It's difficult to gauge the effectiveness of a security system, for several reasons: 1. If it's obvious that they exist, their very existence may deter bad actors. 2. Their system will only be proven effective when the risk is too great to take the chance. This can be offset partially by intentionally hiring bad actors to attempt an infiltration (e.g., [Pentesters](computers-cysec-pentest.md)), but that's only dependent on the intelligence and skill of those infiltrators. ## Security's risks [Security](safety-security.md) and safety also come with an immovable cost. No matter what, increasing security sacrifices freedom and accessibility. This is because each layer of verification is both time-consuming and could yield a lockdown against the people who *should* have access ("false-negative"): - A *completely* walled city would only be accessible by skilled wall climbers. That's why cities have historically set gates on each side of the city. - It's near-impossible to crack an incredibly elaborate password, but it's also difficult to remember and has to be safely stored if it's written down. - An elaborate key mechanism is difficult to pick, but the key is difficult to reproduce, especially if it's lost. - In [modern society](technology.md), people probably spend at least 10 minutes a day with [habits](habits.md) that activate and deactivate security measures (passwords, car doors, etc.). So, because of this, most security systems build "back doors" to prevent [human error](humanity.md) from locking the entire system down and losing the [valuable](values.md) thing inside. Most [bad actors](morality-evil.md) become far more aware of this than most people want to admit. Because of our [habitual](habits.md) nature, we often forget *why* the security system is there and will fail to verify that it's a legitimate situation: - Man-in-the-middle attacks involve the person thinking they're accessing a legitimate website (which isn't) to enter their credentials like normal. - In a key-card system, people will be quick to give grace to someone who "forgot" their key-card, especially if they share a [common interest](people-friends-why.md) (like smoking). Distrust can also be [habit-forming](habits.md). We tend to [identify](identity.md) what we [focus](purpose.md) on, so we can become [obsessive](addiction.md) about protecting things. The cure is to ask *what* we're protecting and how much we're willing to [lose it](mind-feelings-fear.md). It's worth noting that security theater is useful in [large organizations](groups-large.md) to make the members feel safe and [trust](trust.md) their leaders [without any legitimate increase](people-image-distortion.md) in security. Some of them even promise it in exchange for individuals' [freedoms](people-decisions.md)! Security and freedom are inversely correlated, so something [valuable](values.md) that is also useful will invariably have to be protected by something inconvenient, and will likely still be exposed to risks: - Every country needs a military. - Preserving the freedom of speech requires permitting [hate speech](politics-leftism.md). - [Success requires loss](success-5_persevering.md). ## General security principles Record absolutely everything, and keep several copies safety stored away from public access. Understand the domains you wish to keep safe, and delegate anything you don't understand to an expert. Absolutely *every* piece of tangible information can present a security risk. - Knowledge of small details (e.g., favorite sports team, hometown) can lead to further information (known associates in a photo, medical records). Always communicate the presence of a security system. Only communicate the threat of the security system, but not its specifics. - Knowledge of a particular system can lead to knowledge of that system's procedures. ### Personal security Besides keeping yourself safe, personal security arrangements also have the side effect of more effective [legal protections](legal-safety.md) as well. Avoid public intoxication or inebriation. Have security-enforcing items *before* you need to use it. - Use a low-profile money belt or anti-theft bag. - Never carry large sums of cash on your person, and never all at once. - Place interested parties in an emergency on speed-dial. - Wear bio-monitors that send automatic updates to interested parties. - Consider investing in a body camera and dash cam for your [automotive](autos.md). - Get at least a few more locks than you technically need. - Test every lock or safe before using it. - If you're particularly high-profile, consider getting body armor under your shirt. Buy disposable electronic devices you're not afraid to lose (e.g., cheap computer, cheap cell phone). - Ideally, have a means to remotely wipe the data if it does get stolen. Beyond the equipment, most personal security comes from practicing healthy [habits](https://adequate.life/habits/). - Before traveling around a city, note the comparative crime statistics relative to other parts of that region. - Crime statistics are effectively worthless large-scale (since they only determine crimes *recorded* and not the actual number of crimes), but law enforcement have similar mindsets to fishermen: go where the likely events will happen. - When entering a new room, do a quick sweep of all potential risks. - Note all entry and exit points. - Consider anything that could be used to incite violent action (e.g., flammable objects). - When in a domicile, stay prepared. - Make sure the locks and peephole work properly. - Don't let strangers into your place, even if they state they have official permission. - Learn [specific ways to be safe from other people](safety-security-specific.md). If you're seriously committed, learn a working knowledge of an unarmed martial art.