When We Say “Security,” What Do We Mean? (Track I)
This essay serves as an introduction to our semantic safari, starting with the Latin word ‘securus.’ It is Track I of a longer concept album exploring what we mean when we use the word ‘security’ (and what it should mean).
You can find all the essays in the “When We Say Security, What Do We Mean?” concept album here:
-
Track III. The Dawn of Security as a Noun (Securitas)
-
Track IV. The Multifaceted Meaning of “Security” in the Roman Era (Securitas)
-
Track V. The Evolving Meaning of “Security” in the Early Modern Era (Securitas)
-
Track VI. What Does Security Mean in the Information Society?
Introduction
We say the word “security” a lot in tech. Whether we refer to “cybersecurity” or “information security” (or “infosec”), how often do we pause to question what we mean when we say the word security itself?
In general, arguing that words should mean things in infosec is like fighting against the gravity of a supermassive black hole1. Unfortunately for me, I will die on this hill until my inevitable spaghettification. From what I understand from cybersecurity journalism, this persistence makes me a “sophisticated” attacker, perhaps even one of those fabled advanced persistent threats (APTs). My cyberweapon of choice is words. My action on target? Destabilizing the industry’s dereliction of meaning. My APT group name will be SOCRATIC KITTEN.
So, true to the spirit of being advanced and persistent and threatening, I write this to challenge and, with any luck2, overthrow incumbent notions of the security concept while nurturing new notions that inspire and uplift. Like any self-respecting former author of angsty teen poetry, I chose as my medium a “literary concept album” featuring six essays as “tracks,” all exploring the title’s provocative question: When We Say Security, What Do We Mean?
The security concept, like other words-as-concepts (happiness, courage, justice) is an idea, per Plato, perceivable only by the eyes of the mind3. To borrow from Hannah Arendt4, the word “security” is “something like a frozen thought that thinking must unfreeze whenever it wants to find out the original meaning.” To thaw it, we must meditate upon it, seep ourselves in it, let the currents of concept cleanse our preconceptions.
“But Kelly,” you sigh, “This is cybersecurity awareness month, shouldn’t you be posting about something practical?” Like, what, the growing ATTACK SURFACE due to HUMAN ERROR? Much like the spherical cow, such metaphors5 simplify our understanding of the world so it feels comforting and calculable as escapism from the real world, which is very messy. The security people, in no shortage of irony, choose convenience in this trade-off. Humans will interact with systems and do very natural human things and the security people will clutch their pearls and gasp, “But why would they do such a thing?!” Maybe spherical SBOMs will solve security so we can all finally stop being aware of it.
Because requiring awareness is part of the problem. We have a word for when humans are excellent at being of aware of threats in their environment: hypervigilance. It is not good when humans are hypervigilant! It means the human is likely traumatized and their nervous system is dysregulated. Unfortunately, the security people want us all to be hypervigilant because nothing says accountability for a problem like telling the potential victims they’re responsible for it.
Imagine, if you will, a parallel SKYSECURITY AWARENESS MONTH where we tell people to be careful whenever walking outside because a piano might fall on their head or that they should be scrutinizing the clouds – their trajectory, color, fullness, and other patterns – to figure out whether they are safe or not. In real life, we have meteorologists and can open an app that tells us whether we probably need an umbrella or sunglasses or to just stay inside to stay safe. Sometimes people will still go outside because that hurricane isn’t going to Instagram itself but there have been and will always be fools and our strategy in a problem domain should not be focused on the minority of fools who will not be persuaded by facts or logic and will gladly jump over guardrails while wondering why they were there in the first place.
My point is that the security people have collapsed upon a meaning of “security” as a concept that is not serving them or users or organizations or society particularly well. The cybersecurity industry’s meaning of “security” is a distortion, in many cases the exact opposite, of what the word means and has meant throughout its long, storied history. That history has much to teach us, which is why it is, in fact, entirely practical and pertinent to explore it on our upcoming semantic safari.
Thus, this concept album will illuminate why our current notion of (cyber)security, the concept, is worth re-evaluating through the lens of what “security” has meant over time. True to Socratic tradition6, these essays will not provide a definitive answer. Our path will be circuitous, but we will perhaps absorb a superior sense of what this ineffable concept of “security” is through ouroboric osmosis by the end of our journey7. We may not produce a definition of “security” by the end (although we will try) but, having pondered the meaning of “security,” we might be able to make our own attempts at it better.
To begin our journey, we must time travel.
The Curious Nature of Securus
It’s a few hundred years before the common era in Rome. You’re chilling in a thermae with your bae admiring the intricate stone mosaic of a rather fetching deity beneath your feet as you feel your pores cleansing in the luscious steam.
Your beloved anaticula8 looks at you and smiles, “If only all our days together could be securus like this,” they say. You smile back and nod in blissful agreement, watching them rest their eyes with a satisfied sigh.
For the securus life is one without care. Securus starts with sē, the Latin prefix for “without,” which combines with cūra, the noun for care, concern, thought, trouble, solicitude, anxiety, grief, and sorrow.
Hence, securus is to enjoy piece of mind (securo animo esse9). Securus is the absence of concern, the absence of a troubled mind. The opposite of securus was sollicitus — the restlessness arising from being filled with fear, apprehension, anxiety, alarm.
Hurtling forward in time to 2022 CE, we can observe that the typical traditionalist infosec program is closer to sollicitus than securus. Fear, uncertainty, and doubt (FUD) pervade – and perhaps define – the industry. FUD are the foundational emotions industry vendors, journalists, and less scrupulous thought leaders exploit for fortune and fame.
Our world is increasingly software and internet but there is a powerful industry that tells us that we should be scared to use software and internet, that it is desirable for us to be uncertain at all times when using software and internet, that we should doubt our perceptions at all times because what if the 13,371,337th link you click or line of code you write in your lifetime causes CYBERGEDDON. All of this anti-securus rhetoric is supposedly in our best interests.
FUD pervades cybersecurity to such an extent that we take for granted that these emotions need not define the security we seek to cultivate. Could FUD not instead be seen as the explicit enemy of security?
Thus, a worthy thought experiment is: how might infosec programs look if they actually pursued the state of being securus? How would a security program designed to ensure the organization is “without care or concern or anxiety” appear? How would cybersecurity strategy differ if the goal outcome was for users – whether end consumers, software engineers, or employees – to feel care-free and untroubled?
We will explore those questions as we continue our journey. Our next stop is even further back in history, inspecting the inspiration for the word securus in Ancient Greece.
Continue with Track II: A Platonic Dialogue on Security (Securus).
Conclusion
You can find all the essays in the “When We Say Security, What Do We Mean?” concept album here:
-
Track III. The Dawn of Security as a Noun (Securitas)
-
Track IV. The Multifaceted Meaning of “Security” in the Roman Era (Securitas)
-
Track V. The Evolving Meaning of “Security” in the Early Modern Era (Securitas)
-
Track VI. What Does Security Mean in the Information Society?
-
The parallels between black hole firewalls and the infosec kind must remain a discussion for another time (if time isn’t just an abstraction). ↩︎
-
I performed a secret, arcane ritual to win the favor of the eldritch ones towards my quest of making the word security mean something better. But the gods are capricious and so the ultimate fate of this endeavor remains unknown. ↩︎
-
As Hannah Arendt described of such words, “when we try to define them, they get slippery; when we talk about their meaning, nothing stays put anymore, everything begins to move.” (From The Life of the Mind) ↩︎
-
Arendt, H. (1981). The life of the mind: The groundbreaking investigation on how we think. HMH. (In the section “Thinking” / “The answer of Socrates”) ↩︎
-
“Surface” is a spatial metaphor. Yet again, there is much to unpack with the language we use to talk about cybersecurity but, to keep with the metaphor, time marches onward… ↩︎
-
“The truth is rather that I infect them also with the perplexity I feel myself.” – Socrates ↩︎
-
This may sound like a journey up one’s ass, but it’s better than being a cookie-cutter infosec ass, I assure you. ↩︎
-
A term of endearment in ancient Rome; its literal translation is “duckling.” ↩︎
-
Carl Meißner; Henry William Auden (1894) Latin Phrase-Book, London: Macmillan and Co. ↩︎