We say the word “security” a lot in tech. Whether we refer to “cybersecurity” or “information security” (or “infosec”), how often do we pause to question what we mean when we say the word security itself?
In general, arguing that words should mean things in infosec is like fighting against the gravity of a supermassive black hole1. Unfortunately for me, I will die on this hill until my inevitable spaghettification. From what I understand from cybersecurity journalism, this persistence makes me a “sophisticated” attacker, perhaps even one of those fabled advanced persistent threats (APTs). My cyberweapon of choice is words. My action on target? Destabilizing the industry’s dereliction of meaning. My APT group name will be SOCRATIC KITTEN.
So, true to the spirit of being advanced and persistent and threatening, I write this to challenge and, with any luck2, overthrow incumbent notions of the security concept while nurturing new notions that inspire and uplift3.
The security concept, like other words-as-concepts (happiness, courage, justice) is an idea, per Plato, perceivable only by the eyes of the mind4. To borrow from Hannah Arendt5, the word “security” is “something like a frozen thought that thinking must unfreeze whenever it wants to find out the original meaning.” To thaw it, we must meditate upon it, seep ourselves in it, let the currents of concept cleanse our preconceptions.
“But Kelly,” you sigh, “shouldn’t you be posting about something practical?” Like, what, the growing ATTACK SURFACE due to HUMAN ERROR that will surely be solved with SECURITY AWARENESS? Much like the spherical cow, such metaphors6 simplify our understanding of the world so it feels comforting and calculable as escapism from the real world, which is very messy. The security people, in no shortage of irony, choose convenience in this trade-off. Humans will interact with systems and do very natural human things and the security people will clutch their pearls and gasp, “But why would they do such a thing?!” Maybe spherical SBOMs will solve security so we can all finally stop being aware of it.
Because requiring awareness is part of the problem. We have a word for when humans are excellent at being of aware of threats in their environment: hypervigilance. It is not good when humans are hypervigilant! It means the human is likely traumatized and their nervous system is dysregulated. Unfortunately, the security people want us all to be hypervigilant because nothing says accountability for a problem like telling the potential victims they’re responsible for it.
Imagine, if you will, a parallel SKYSECURITY AWARENESS MONTH where we tell people to be careful whenever walking outside because a piano might fall on their head or that they should be scrutinizing the clouds – their trajectory, color, fullness, and other patterns – to figure out whether they are safe or not. In real life, we have meteorologists and can open an app that tells us whether we probably need an umbrella or sunglasses or to just stay inside to stay safe. Sometimes people will still go outside because that hurricane isn’t going to Instagram itself but there have been and will always be fools and our strategy in a problem domain should not be focused on the minority of fools who will not be persuaded by facts or logic and will gladly jump over guardrails while wondering why they were there in the first place.
My point is that the security people have collapsed upon a meaning of “security” as a concept that is not serving them or users or organizations or society particularly well. The cybersecurity industry’s meaning of “security” is a distortion, in many cases the exact opposite, of what the word means and has meant throughout its long, storied history. That history has much to teach us, which is why it is, in fact, entirely practical and pertinent to explore it on our upcoming semantic safari.
Thus, this essay will illuminate why our current notion of (cyber)security, the concept, is worth re-evaluating through the lens of what “security” has meant over time. True to Socratic tradition7, these essays will not provide a definitive answer. Our path will be circuitous, but we will perhaps absorb a superior sense of what this ineffable concept of “security” is through ouroboric osmosis by the end of our journey8.
We may not produce a definition of “security” by the end (although we will try) but, having pondered the meaning of “security,” we might be able to make our own attempts at it better.
To begin our journey, we must time travel.
The Curious Nature of Securus
It’s a few hundred years before the common era in Rome. You’re chilling in a thermae with your bae admiring the intricate stone mosaic of a rather fetching deity beneath your feet as you feel your pores cleansing in the luscious steam.
Your beloved anaticula9 looks at you and smiles, “If only all our days together could be securus like this,” they say. You smile back and nod in blissful agreement, watching them rest their eyes with a satisfied sigh.
For the securus life is one without care. Securus starts with sē, the Latin prefix for “without,” which combines with cūra, the noun for care, concern, thought, trouble, solicitude, anxiety, grief, and sorrow.
Hence, securus is to enjoy piece of mind (securo animo esse10). Securus is the absence of concern, the absence of a troubled mind. The opposite of securus was sollicitus — the restlessness arising from being filled with fear, apprehension, anxiety, alarm.
Hurtling forward in time to 2023 CE, we can observe that the typical traditionalist infosec program is closer to sollicitus than securus. Fear, uncertainty, and doubt (FUD) pervade – and perhaps define – the industry. FUD are the foundational emotions industry vendors, journalists, and less scrupulous thought leaders exploit for fortune and fame.
Our world is increasingly software and internet but there is a powerful industry that tells us that we should be scared to use software and internet, that it is desirable for us to be uncertain at all times when using software and internet, that we should doubt our perceptions at all times because what if the 13,371,337th link you click or line of code you write in your lifetime causes CYBERGEDDON. All of this anti-securus rhetoric is supposedly in our best interests.
FUD pervades cybersecurity to such an extent that we take for granted that these emotions need not define the security we seek to cultivate. Could FUD not instead be seen as the explicit enemy of security?
Thus, a worthy thought experiment is: how might cybersecurity programs look if they actually pursued the state of being securus? How would an information security program designed to ensure the organization is “without care or concern or anxiety” appear? How would cybersecurity strategy differ if the goal outcome was for users – whether end consumers, software engineers, or employees – to feel care-free and untroubled?
We will explore those questions as we continue our journey. Our next stop is even further back in history, inspecting the inspiration for the word securus in Ancient Greece.
A Platonic Dialogue
Persons of the Dialogue11
Theoxorus: I am feeling secure in my knowledge today, Secrates, yet have no doubt you shall shortly annoy me with indistinct inquiries into something simple that we should enjoy simply for simplicity’s sake.
Secrates: Secure! O, my dear Theoxorus, do my ears truly witness you bringing a conversation to me on a shining platter?
Theoxorus: What do you mean, Secrates?
Secrates: I mean that you used the word “secure.” And what does “secure” mean? We should always be on the lookout for such answerless words. I know you do not wish to examine it, but now we must!
Theoxorus: Secrates, no –
Secrates: Do you truly object? Is it not your own lips which revealed the relevance of this word to your very life?
Theoxorus: I… I cannot object.
Secrates: And neither can I. We must proceed and, another time, we can discuss what your hesitance for exploration means. I observe that you grow weary of dissecting words and essences of late. And yet with what else do you fill your days? Is it not your own shame you are unwilling to confront? Is it not this regular discourse that exposes the inner self you wish to –
Theoxorus: Secrates! Let us examine “secure” now and my own soul later.
Secrates: As you wish, my dear Theoxorus, I will now proceed with this inquiry, for which I owe you many thanks. There are two words from our current civilization that serve as the inspiration for securus: ataraksia and asphaleia. Let us proceed first with ataraksia.
Theoxorus: What tongue is the word “securus”?
Secrates: Yes. I have seen into the future during a bathing ritual.
Theoxorus: Ah, Secrates, you indulge in the pleasures of the oracles!
Secrates: Believe what you wish. But let us now proceed, as you insisted. What defines ataraksia but what it is not? It is the negation of taraksia, from tarrassein, which means to trouble the mind, to agitate, to disturb, to stir.
Theoxorus: Just as your incessant inquiries do to me.
Secrates: Precisely. And if ataraksia is the negation of these verbs, may it not be said to reflect calmness, equanimity, tranquility? It is as Pyrrho said, a form of freedom from distress and concern, and as the public says in their less formal dialogue, it is the mental state soldiers must cultivate before battle. Is it a goal, a kind of goodness, that a person must pursue in their lives? The Pyrrhonists, Epicureans, and Stoics would agree with this, each for different reasons reflecting their different philosophical foundations.
Theoxorus: What do you think, Secrates?
Secrates: I know nothing, as you know well, Theoxorus. What matters for our conversation is the essence of ataraksia: a freedom from disturbances, especially of the mental variety. And, then, as I have seen in my bathtub in a very distant future, what matters is that the verbs ataraksia is meant to negate – to disturb, to agitate, to trouble, to stir – are the verbs most associated with traditional cybersecurity. Does this not suggest security then means its very opposite?
Theoxorus: To be sure.
Secrates: And does this not trouble the mind in itself?
Theoxorus: Certainly. But how can you know such contraction abounds?
Secrates: This future world seems designed by contradiction. Their “security awareness training” exercises, such as those meant to phish humans as one lures a fish with a decoy worm, have the explicit goal of “troubling the mind” to keep persons vigilant for danger. In this future, application security tools are infamous for how they disturb software development and delivery practices – and does that not trouble the minds of software engineers? The list of security rules and policies are unending, often arbitrary – and have they not found a most effective means to agitate the subjects under their dominion?
Theoxorus: They have.
Secrates: And do we believe that such activities result in greater defenses?
Theoxorus: Certainly not, unless one believes that defense is impossible through design. This reminds me of our prior dialogue on beauty, Secrates, as what you describe of this “infosec industry” must make it beauty’s enemy.
Secrates: Are you surprised, Theoxorus, that infosec makes enemies when its goal is to disrupt tranquility? And how could cybersecurity achieve beauty when it sees ugliness and danger in all things outside itself?
Theoxorus: Of course. But surely some interpretation by other schools of thought justifies this perversion?
Secretes: They will not. Atarksia is seen as a strict requirement to attain the true, full happiness referred to as eudaimonia. It may surprise you, my dear Theoxorus, that the word atarksia is associated with Epicurean philosophy.
Theoxorus: But calmness seems harmonious with Epicureanism.
Secrates: Did you wish to ask me a question, my friend?
Theoxorus: Your social skills are as crude as unfired amphorae, Secrates. So, then, what is shocking about this?
Secrates: It is shocking because it is hard to imagine a philosophy more opposed to cybersecurity than Epicurianism, which argues that the goal of a sentient life form is to maximize pleasure and minimize pain12. Epicurus is specific in defining pleasure as the absence of pain, and therefore “ethical hedonism” is the pursuit of avoiding pain, including pain that imparts pleasure near-term but pain longer-term. Without distracting ourselves by examining Epicureanism in more detail, we can say that the goal they espouse is to foster a life of tranquility. Does this cybersecurity community foster a life of such tranquility?
Theoxorus: They do not.
Secrates: I agree, my friend. Cybersecurity is not known for avoiding pain, regardless of temporal outlook. The cybersecurity community inflicts pain on others, whether by stoking fear or by making lives harder. Is it not fair to argue that infosec even inflicts pain on itself?13 Is it not cruel to cultivate obsession of vulnerabilities that kindle fear, uncertainty, and doubt when your stated aim is to eliminate them? Do we believe this fetishization of vulnerabilities and lascivious focus on blaming what they call “human error” can be called “ethical hedonism”? Or is it a societal mechanism to stifle introspection and to instead reenact shame? I regret that these questions reflect a topic for another time in the realm of psychology14, which has yet to be invented.
Theoxorus: You tease me, Secrates.
Secrates: Yes, but there is another thing, Theoxorus: what of asphaleia?
Theoxorus: You are unfailing in your pursuit, Secrates.
Secrates: Well, I suspect you might find its origin amusing. Asphaleia originates from wrestling and reflects the capacity to prevent being overthrown, being immovable and steadfast, like the throne of the gods, or like me in the presence of your lamentations and tantrums about our discourse. By roughly a century before our time15, asphaleia also came to mean the stability of the city state, to prevent being overthrown, and, if I permit myself to indulge in speculation, it could be extended to describe the stability of an organization (a kind of social entity I beheld in my bath). And, as some great scientists will prove thousands of years from our day, speed and stability of work harmonize and impart greater value together than apart. And, well, now I can put the matter as: is this infosec, that which slows down work, an enemy of asphaleia?
Theoxorus: Yes, certainly.
Secrates: Very good; and can you tell me how this might be despite asphaleia serving as the seed of the “security” concept’s own existence?
Theoxorus: I must confess, Secrates, that this “security” society of the future seems very lost.
Secrates: I dare say, my friend, that you spend too much time with me if you think it is an uncommon human desire to seek power and control, even at the expense of integrity. And can we truly argue that such desires are always conscious to the subject?
Theoxorus: Alas, they are not.
Secrates: If what you say is true, I ask you, then: what is this cybersecurity society not most of all?
When Secrates had asked his question, for a considerable time there was silence; Theoxorus furrowed his brow while meditating on this question; only Secrates made a sound when softly blowing on the delicate seedheads of a dandelion.
Theoxorus: For what did you wish as you blew, Secrates?
Secrates looked up at Theoxorus and said, with a smile: For you to answer my question.
Theoxorus: I will tell you. My feeling is that this cybersecurity society lacks curiosity.
Secrates: Exactly. The traditional cybersecurity society is kin of Argus Panoptes; the role of enforcer grants them relevancy but not wisdom. Alas, my friend, if only they would follow the path of Daedalus instead. They feel ignorance as a sting and slight, as if ignorance was not the default condition of being alive! But there is more: how are they like the sophist?
Theoxorus: They both are paid to question without truth as their aim.
Secrates: And do they not both gain fortunes from this?
Theoxorus: They do.
Secrates: And are they not both hunters after a living prey, servants of the powerful, cousins of opportunists exploiting emotion for control?
Theoxorus: They are.
Secrates: But where the cybersecurity society differs is they seek the impossible void – the not-being of weakness – and they are willing to destroy whatever being stands in the way of this pyrrhic quest.
The Dawn of “Security” as a Noun: Securitas
The ancient association of securus with Epicureanism was not to last. Epicurianism was outlawed once the Roman Empire entered its rebellious Christianity phase because, as a philosophy, it’s quite incompatible with the idea that souls must be “saved” and that God is relevant to everyday life (Epicurus literally argued that the gods do not gaf about human affairs and do not punish or reward human behavior).
Why is this relevant to cybersecurity? Because – as a collection of entities across vendors, consultants, thought leaders, and practitioners incentivized to increase influence on the world – information security has sanctified itself as a secular authority who can deem worthiness from on high and reward or punish according to behavior16.
Most security advice roughly goes, “if you’re interacting with a computer and what you’re doing feels convenient, you are actually doing something BAD.” We’re supposed to report when we’ve done something wrong, like a Catholic at confessional. We can gain an “exception” from the security authority like the medieval Catholic Church granting indulgences17 to partially reduce the punishment of the sin.
Naturally, only the ordained can read and interpret the sacred texts. The unwashed masses may only receive the good word. The divine wisdom is so complex, so arcane, far too difficult for anyone else to transform into action. Does this not imply that the non-security “normies” cannot be secure without the blessing of the security establishment? The human “users” must suffer in this life for their sins, for turning away from the path of security18.
In the eyes of the Cybersec Church, users are weak sheep who must be told what to do and guided with a strong hand in the ways of natural security law, less they drift wayward into wickedness. We must practice chastity in all manners digital and resist the temptation of clicking on things unless we want the whole network to drown in depravity19.
For the Security Spirit is always watching. It knows when you allow incoming connections from cloud provider IPs even though attackers also use those IPs. It knows when you copy and paste something from Stack Overflow even though it could be backdoored. It knows when you don’t VPN on the hotel WiFi, where anyone, including a big,
sexy scary APT could connect to it. Wicked, wicked user! A thousand years smoldering in hellfire and pestilence for your sins! Try clicking things now once the maggots have feasted upon your flesh!
We will return to security in the context of authority later, but now we must march onward to examine how securus, the adjective, evolved its noun form: securitas. In the Roman period, securitas specifically corresponded to intense emotions. And, it’s worth noting, the freedom from care represented by securitas does not require justification based on reality.
Securitas refers to a group of emotions (the things security and software “rationalists” alike pretend they don’t have) which relate to the absence of fear and include emotions like trust and confidence20. In fact, even the more modern notion of “job security” aligns to this older meaning; it is a feeling, specifically that you don’t have to worry about losing employment. Threats to it aren’t the point, the feeling is the point.
Now, my dear mortals, can we imagine a cybersecurity program designed to ensure the organization is fearless and free from care, an infosec program that is quiet, easy, and composed? Cybersecurity as a discipline would be concerned with ensuring the organization could remain cheerful, tranquil, and serene. Servers would frolick in a field like fecund fawns. Software engineers would release code with confidence, trusting the safety designed into their languages, tools, platforms, and environments. If employees felt fear, uncertainty, or doubt when using technical systems, the security program would be curious and design solutions to alleviate their concerns.
Imagine a cybersecurity program with the goal of relieving the rest of the organization from anxiety about security… cybersecurity that promotes convenience and puts in the hard work of crafting design-based mitigations. Status quo infosec – manifesting as SecObs, Security Theatre, etc. – seeks quite the opposite. Traditional cybersecurity programs openly admit aiming to increase anxiety among the rest of the organization to ensure they are vigilant to threats and always looking over their proverbial shoulders for potential peril. The security people decry convenience and shame users for seeking it while simultaneously indulging in it like Scrooge McDuck in his pool of gold by relying on enforcement, behavioral control, and blame as cheap “mitigations.”
I often read security advice or policies or other prescriptions and have the sense that the authors are trying very hard to pretend that local context is irrelevant and that generalized control is possible. Convenience is often framed as the enemy. The question is: convenience for whom?
Sure, convenience is clicking on every link or adding a third-party library without a second thought. But convenience is also requiring a security tool that you will never have to use, without performing any user research with the humans who will use it in their workflows. Convenience is tapping the 10^10 Security Commandments when someone makes a mistake and blaming them in front of Congress. Are we shocked that a framework of “convenience for me, but not for thee” doesn’t seem to produce the bundle of positive emotions securitas represented?
Are there words less associated with cybersecurity than “cheerful,” “bright,” “serene, “composed,” “quiet,” or “easy”?21 The whole business seems antithetical to those traits. Traditional infosec is all cura and no se – better deemed “cybercurity” than cyber_se_curity: a discipline of increasing concern, thought, trouble, anxiety, and grief in the organization regarding “cyber” matters. Offensive security is especially nonsensical through this etymological lens because it then means “offensive tranquility.”
Or maybe it isn’t that strange. After all, don’t overpriced healing crystals and cyber wares have quite a bit in common?
The Multifaceted Meaning of "Security" as ‘Securitas’ in the Roman Era
While a sense of dignity is not the vibe most of us feel when clicking through mandatory cybersecurity awareness training courses, dignity and security were seen as closely coupled concepts in the Roman era.
Cicero, living during the last century B.C., noted that whomever has tranquillitate animi (a tranquil mind) and securitas will have dignitas (dignity)22. Cicero’s meaning of securitas here involves the absence of care or fear as well – and he saw this tranquility of mind as a prerequisite for an individual’s personal happiness and prestige in society. (We will talk about respect and dignity in the context of security more once we time travel to more modern definitions of the word).
A century later, Seneca framed securitas as a mindset23, a lovely extension of the existing notion of security as a bundle of emotions. Inspired by Socrates, Seneca viewed securitas – and the absence of the fear emotion24 – as how the wise can come closer to god because only a god has no reason to fear death25.
Securitas as this nearly-divine mindset quickly morphed into an association with divinity itself during the reign of Nero (the 1st century AD), specifically reflecting the divinity of the Emperor26 on coinage. It also started to reflect an environmental vibe rather than emotions or mindset; the surrounding world, the genesis of a subject’s freedom from care, could also be securitas, possessing a peaceful and tranquil atmosphere.
But Seneca also laid the groundwork for coupling the security of the state with security of individuals, in the specific sense of public securitas contributing to the capacity to live according to virtue. In this framing, securitas was explicitly based on mutual trust between the ruler and the ruled.
This reflects yet another semantic deviation with cybersecurity, which is generally mistrustful of any parties outside infosec, including those who should be allies (like software engineers). How else should we characterize the common refrain that any employee is a potential “insider threat”? And the cybersecurity status quo certainly does not seem to foster mutual trust by helping potential allies live well, offering minimal proof that they have the best interests of the collective in mind; if anything, they often prove the opposite.
In fact, Seneca highlights that it is a mistake to think that “a ruler is [only] safe when nothing is safe from the ruler.”27 The pox of “shadow” assets – whether shadow IT, shadow SaaS, shadow containers, shadow APIs – shows that the infosec establishment succumbs to this mistake readily. In fact, cybersecurity’s general fetishization of control – vitalized by vendors – is a continuous realization of this mistake.
As anyone familiar with the motifs of history could predict, the subsequent rulers did not listen to Seneca’s admonition, which eventually led to an explicit rejection of hereditary rulership in the Nerva-Antonine dynasty. (Take that for what you will in the context of our current cybersecurity rulership). This led Tacitus to express the new securitas publica (public security) as the confidence of the citizens that the state will no longer threaten them28. That mutual trust was the core ingredient of securitas during that phase and reflected a check on authority.
It is interesting to ponder the notion of securitas publica in the organizational context; an organization’s citizens would be confident that the enforcers of security policy can no longer disrupt their way of life or erode their pursuit of fulfillment. How many cybersecurity programs might be characterized as such today? How many programs instead feel disruptive, corrosive to productivity, and fostering anything but a “peaceful and tranquil atmosphere”?
Securitas’ confident spirit evolved into meaning of “assurance of faith” (as opposed to doubt) during Roman Antiquity, as espoused by Tertullian and, later, Saint Augustine. This “opposition to doubt” again is at odds with one of the letters of the acronym which defines traditional cybersecurity: F.U.D. (fear, uncertainty, and doubt). As we’ve seen time and again throughout this essay (and we’re only into the 2nd - 4th century A.D. here!), the earlier and variegated meanings of securitas fly in the face of traditional infosec. Traditional infosec wants to doubt everything. It takes pride in doubting everything. Assurance of faith is seen as a security sin.29
Speaking of faith, early Roman Antiquity also saw the creation of Securitas as a deity. While the mythos surrounding Securitas, the goddess, is lamentably shallow, it’s worth noting that she was the goddess of security and stability30. Given the evidence from the DORA research and metrics that stability and speed work in tandem and are complimentary, this suggests that if we worship at the altar of security, then we must also worship at the altar of speed.
The Roman god of speed, Mercurius (aka Mercury), was also the god of shopkeepers, merchants, travelers, transporters of goods, thieves, and tricksters. It’s worth noting that the coupling of commerce and prosperity with security is quite common throughout its history (more on this once we get to the 16th century). Traditional cybersecurity, in contrast, often pretends like prosperity is not the primary goal or, worse, views prosperity as a foe to security.
“Why don’t companies prioritize security? Don’t they know THE THINGS can be HACKED??” Well, dear security people, what do you think allows the companies to pay for your six or seven figure salary? It is because they prioritize money that they can afford to spend it on security endeavors that do not remunerate them and often cannot even be tied to tangible success outcomes beyond “we saw these malware samples or known bad IPs this month” spoonfed from vendor dashboards in symbiotic self-perpetuation.
The infosec industry forgets that security, even in its more modern meaning, is not just about protecting threats; it’s about protecting threats against something. In the business context, it’s about protecting threats against prosperity. Through this lens, is it not a victory if a security program waters the seeds of revenue growth? And is the security program not a tragic failure if it chokes and cages this material growth because of a “risk” that exists only as an incorporeal counterfactual?
Between the profligate spending on ineffectual security tools and the obstructionism imposed by security programs, it’s quite possible that the threat to enterprise prosperity by traditionalist cybersecurity rivals that posed by actual attackers.
This distinction is also emphasized in the term “national security,” even as we mean it today: national security is about defending threats to what? Liberty, prosperity, the pursuit of happiness… and we rightly dislike security measures that get in the way of these goals (often labeling them as “Security Theater”31).
Thus, we must ask, cybersecurity defends against threats to what? Largely the same things, but in businessy and computery contexts. If liberty or prosperity or the pursuit of happiness is choked out by security measures, then security is the threat in itself and the subjects are left in need of security against security32. Indeed, this is where we find ourselves with cybersecurity today.
But we are not yet done with this era. A few centuries after the deification of securitas, its meaning as “carefree” was twisted by religious leaders into an undesirable form: the state of being careless, reckless, heedless, and negligent33.
This notion of security is perhaps closest to the status quo in infosec today, which is quite careless with human (user, developer, colleague) time and attention, reckless with organizational budget, and negligent to design-based security solutions that are more reliable than attempting to control human behavior. The cybersecurity industry is heedless with its FUD-fueled zealotry, fretting about irreleventia while pretending nothing can be done about the grey rhinos charging into our systems.
Securitas was also relevant in the context of “Roman security” and specifically meant the Roman Empire’s peaceful and orderly domination of the world. Would we characterize traditional infosec programs as peaceful and orderly today? Even diehard zealots of the cybersecurity status quo readily admit that much of infosec in practice is firefighting and disorder. A worthy question is: who benefits from this paradigm?
Alas, the Roman Empire declined, as did securitas, whose meanings were largely stolen by the word certitudo. Thus, we must go to the provincial stables of the Middle Ages to continue our semantic safari. The two meanings of securitas not consumed by certitudo included pax (peace) and religious indifference.
The latter meaning persisted (albeit without nearly as much popularity as before) through to Martin Luther in the 16th century, who labeled “die Sicheren” as the people he was fighting against – people who did not truly trust the Holy Spirit and substituted true faith for religious rituals and conspicuous, performative acts. In his time, spiritual unity was preserved “through coercion and violence… dissent from orthodoxy was outlawed, heresy was rooted out and punished by fire and sword.” Luther was excommunicated for his “errors” about the Holy Spirit, including the “error” of believing the Christian god wouldn’t want heretics burned alive.
In our era, the traditionalist Security People put quite a bit of trust in their folk wisdom and rituals, despite their unclear success. It is still counterculture to suggest that humans shouldn’t be punished for security “errors.”34 And does it not benefit the vendors and research analysts to continue spoon feeding this advice to security leaders?
Just as Martin Luther felt centuries past about religious belief, is it wrong to want to reconstruct our entire approach to cybersecurity? Just because power structures are in place, incumbents entrenched, money flowing, does not mean something new, bold, and based on real acts of security rather than displays of it – on outcomes vs. outputs – could not supplant the status quo. Fatalism is not true to our nature as humans and certainly not true to the spirit of the “security” concept as we have seen.
But there is more for us to see and for that, we must venture onward into the pre-Enlightenment period and beyond…
The Evolving Meaning of Security as ‘Securitas’ in the Early Modern Era
Centuries passed and the relevance of the word securitas faded. Thomas Hobbes, one of the founders of modern political philosophy in the 17th century, was really the hype man for securitas to keep it from dissolving into disuse35.
Hobbes’ depicts the goal of securitas as the genesis and maintenance of peace, which, as we’ve already discussed, is quite unlike the cybersecurity status quo. Securitas is cultivated through alliances to make it dangerous for the remaining “all” to attack. Samuel, baron von Pufendorf36 emphasized the need for allies with a less cynical angle, arguing that an individual human needs companions to aid them in order to realize securitas (which perhaps foreshadows the concept of “social security”).
Are cybersecurity professionals today known for gathering allies? Quite the opposite. For instance, the relationship between developers and security pros seems to only be getting worse37. Traditional infosec strategy does not enforce security policy through cooperation, but through coercion.
To keep a long journey into Hobbes’ rather paranoid – and exceptionally cynical – perspective short, he ultimately proposes that a sovereign should be the one to guarantee securitas by doling out punishments for violating agreements, which requires subjugation of the ruled by the ruler.
Punishing humans who step out of line and requiring obedience to their rules – for the ruled to subjugate their other wants as secondary to the needs of the sovereign… is this not the playbook of traditional cybersecurity? It is the easiest option to pursue because eliminating or reducing hazards by design requires far more effort than demanding obedience. And if there’s one thing Homo sapiens love above all else, it is cognitive efficiency.
It is quite interesting that securitas was used as imperial propaganda during the Roman era to insist that the state was necessary and by Hobbes to insist that the state must subjugate its citizens. Does this tell us something about status quo cybersecurity? Or should we instead deem it “security imperialism”?
Security, Welfare, Dignity, and the Early Modern Era
Around the same time Hobbes was slandering humanity’s nature and proposing the need for a strong-armed state (the 16th century), securitas also started to absorb a financial meaning: something pledged as a guarantee that an obligation would be fulfilled – that the debtor has no need to worry because something has been pledged against the debt.
In this colloquial meaning (which persisted for centuries), securitas is rooted in a feeling – that the lender doesn’t need to worry. And, similarly, we see a theme throughout the Enlightenment that the state should assure citizens that they do not have to fear violence, not just ensure that they are free from violence in their everyday lives. Basically, that the state has a duty to consider the feelings of citizens, not just protect them.
It is in this era and through the Industrial era that security starts to be seen as a human right, as an essential requirement for humans to enjoy all of the other rights. After all, if you’re the victim of violence (particularly a violent death) – or in a perpetual state of worry about it – it’s pretty hard to pursue liberty or prosperity.
Thus, over time, security evolved to mean a guarantee or assurance that certain things would be accessible to an entity – like “water security” reflecting the assurance that a human individual will have access to clean water on an ongoing basis38.
The temporal implication of this meaning is important: it is not just about having access to a thing (whether a physical good or an intangible value) now, but about the guarantee that you will have access to it in the future, too. Not just that you do not have to fear a violent death now, but that you do not have to fear a violent death in the multitude of possible futures on the horizon, either.
We can trace this notion through to the more recent “social security.” The term was coined on a whim because “pension” carried too much baggage to be palatable to a wide audience. So, they defined social security as a “type of security which would… promote the welfare of society as a whole.”39 (emphasis mine)
Thus, the purpose of security is to promote the welfare of a particular entity. Extending this, the purpose of cyber security is to promote the welfare of cyber things (i.e. all things digital). While that may sound silly, there’s something important here: promoting welfare is not just about stopping threats.
What else is embedded in this purpose of promoting welfare? As we explored, dignity was tightly coupled with security during the Roman period and this association resurged with the concept of “human security," which arose from the rejection of Hobbsian state-centric security.
While the term’s precise meaning is still subject to ample debate40, a foundational facet of “human security” is respect: that a critical part of ensuring a human is secure is ensuring their humanity is respected. Because dehumanizing certain populations and stripping them of dignity is one of the ways authoritarianism cultivates power; it is how a society slips into fascism.
What, then, should we make of the fact that the infosec industry sneakily strips users – whether the accountant clicking on a link to wire money, the marketing professional who downloads a PDF, the developer who makes a mistake when writing code – of their dignity?
The disrespectful sneer is palpable in the designation of “human error” as the cause of incidents. Security awareness training requires users to remember dozens of rules that ignore the realities of their work on thing-clicking machines and implies that it will be their fault if something bad happens. There is no respect for their time, attention, intelligence, or autonomy.
To quote the legendary James Mickens, “This is uncivilized and I demand more from life.”
But imagine a world in which cybersecurity programs prioritized respect as a core value of security! Respect for users’ private data; respect for users’ time; respect for users’ cognitive and emotional energy; respect for users’ pursuit of their priorities; respect for the organization’s pursuit of its priorities as a collection of users serving other users.
In fact, the term “users” may even be part of the problem. Users are abstract, faceless, behind a screen; they lack intrinsic worth and must be “good for” something.41 It makes it easier to disrespect them and resent them for not supporting our own goals. It makes it easier to not see them as people, but as exploitable resources that either we control or attackers do. It’s perhaps harder to blame a sleep-deprived caretaker of a lover or child or parent who, just trying to do their job well enough to keep their health insurance, clicks on something designed to look urgent and important.
Blaming a “user” for being so careless as to click on an obfuscated link and enter in their VPN credentials on the malicious site makes it a more antiseptic affair. It makes us feel like it’s a more just world rather than a chaotic one – like the problem is a user stepping out of line rather than complexities conspiring towards compromise. This dehumanization makes it easier to absolve the ruler and deride the ruled – these “users” – who are simply resources towards our ends, ever holy, ever noble.
What "Security" Means in the Information Society
We end our journey in the modern era, the information society42. The best way to summarize the concept of security in modern times is that it’s controversial af and dependent on context43. But, Wolfers’ two-part definition of “security” from 1962 is widely cited44:
- In an objective sense, security measures the absence of threats to acquired values
- In a subjective sense, security reflects the absence of fear that such values will be attacked
The term “values”, here, of course, is ambiguous and open-ended. But let’s think about what this means for the cybersecurity context.
A realist would say security is achieved when “the dangers posed by manifold threats, challenges, vulnerabilities and risks” in the digital realm are “avoided, prevented, managed, coped with, mitigated and adapted to” by individuals, groups, or organizations45.
A social constructivist would say security is achieved “once the perception and fears of security ‘threats’, ‘challenges’, ‘vulnerabilities’ and ‘risks’ are allayed and overcome.” That is, objective security is not enough; the subjective will always wield considerable influence in the cybersecurity context.
In my experience, tech bros really do not like the idea that emotions or subjectivity come into play in tech stuff at all. They tend to describe their emotions as “logic” and subjective experience as “facts.” We don’t have enough time to unpack all of that in this post (and if only more of them would go to therapy). But it’s a very real problem when traditional cybersecurity folk wisdom was often woven by people who think the objective is all that matters.
What’s worse about the cybersecurity status quo is that the subjective is dismissed but the objective isn’t even really measured. Again, objective security measures the absence of threats to acquired values. We do not have objective security in traditional infosec and, by that definition, it’s not even really what’s being pursued. Even when fleshing out the realist interpretation of objective security, traditional cybersecurity mostly focuses on the “avoided” or “prevented” part rather than the managed, coped with, adapted to part46.
From the perspective of modern scholars, security is meant to lead to more goal-oriented behavior while insecurity leads to threat-oriented behavior. As anyone who’s walked the RSAC vendor hall knows all too well, basically everything in cybersecurity today is about THREATS. Everything is a potential THREAT: your API, your CI/CD pipelines, your laptop, your phone, your fridge, your colleagues, your loved ones, even your own BRAIN is a THREAT because what if you make a MISTAKE and become the very INSIDER THREAT you swore to destroy!?!?!
Everything about the infosec status quo today reflects threat-oriented behavior, therefore implying insecurity rather than security. Traditional cybersecurity isn’t about preserving and upholding values – like prosperity or productivity or an inclusive work environment. Traditional cybersecurity is about preventing and avoiding threats, aiming for the impossible standard of attacks never successfully happening.
The cybersecurity status quo forgets the whole point of stopping the threats is to preserve certain values.
This fetishization of threats and elimination of them as an aim in itself is how we end up with cybersecurity programs which cause so much grief and anxiety and friction for everyone else in the organization. If the infosec industry actually focused on preservation of values, then UX would probably be one of the most important skills in the discipline (but how would incumbent cybersecurity vendors milk that for cash?).
After all, what’s the point of protecting the cherished organizational value of productivity from potential attacks – which likely only happen sometimes rather than continuously, from an impact perspective – if you’re going to erode that value daily through security policies that seem divorced from real goals, constraints, and workflows?
What’s the point in protecting the organization against a potential financial loss due to attack when you’re not only spending its money on security (which could be spent elsewhere), but also slowing down its ability to grow revenue due to security procedures? For an organization with $100 million in revenue wanting to gain market share, shipping 20% fewer features per year due to friction created by the security program has more material impact short, medium, and long term than a ransomware operator demanding $1 million, $5 million, or even $10 million.
Waldron’s quite recent definition of the word security summarizes this all nicely and is worth repeating here:
“… security now comprises protection against harm to one’s basic mode of life and economic values, as well as reasonable protection against fear and terror, and the presence of a positive assurance that these values will continue to be maintained in the future.”47
Cybersecurity as it stands today flunks this definition. It is impossible to provide assurance that basic and economic values will be maintained in the future if you do not know what they are, which the cybersecurity status quo does not know because they do not care because all of that is irrelevant to their noble need to sacrifice everyone’s time, energy, and money at the altar of the FUD gods to gain more budget, more headcount, more influence and they shroud this ritual in a lab coat of “rational” paranoia.
Before architecting a security program or allocating cybersecurity budget, we should understand the organization’s basic mode of life and economic values, including at the level of any teams who will be especially subject to security procedures (like software engineers). From there, we should aim to provide reasonable protection against fear and terror – that is, to provide subjective security, that ancient-school version of securitas which meant freedom from anxiety, fear, or care.
Our job as defenders should be to reduce the complexity of the security problem to such an extent that the rest of the organization is free from care about it (in fact, the systems theorist Niklas Luhmann argued that security efforts explicitly aim to reduce the complexity of the world48). And cybersecurity’s job should be to provide positive assurance that the organization’s values (like prosperity, productivity, inclusion, whatever) can be maintained going forward.
But all of the above requires user research and empathy and curiosity about things beyond cybersecurity’s viewing frustum. This modern definition of security means the organization must treat security as an interactive discipline, not a prescriptive one. The existence of a security program cannot be justified with “there is a risk here and it will never go away,”49 multiplied across all identified “risks,” which thereby implies a security organization that can only grow in scope and authority.
If those who provide security are the rulers and the users the ruled, what security really requires is the rulers respecting the ruled and the rulers earning the respect of the ruled rather than extracting it. This reflects a radical departure from traditional infosec and thus there is and will be resistance from the entrenched50.
Security, in practice, is supposed to reside at the beneficial balance between two evils: absolute fear and absolute security – and absolute security, per Kant, can only be found at the cemetery.51
Summarizing what we mean when we say “security”
Security is now one of those big words like justice and freedom and liberty which serve more as symbols with fuzzy flavors of feeling – that is, as concepts – rather than as words with straightforward definitions. As we’ve seen, asking the titular question, “When We Say Security, What Do We Mean?” is an exploratory exercise rather than an excavation. There is no ground truth we shall hit with enough sweat and shoveling.
We traversed a tapestry of meanings throughout this essay. We finish it with a rough sense of, like, “Security is about preserving chill vibes in the presence of threats to those vibes.”
But more usefully (yet less concretely), we have a better mouthfeel for what “security” means. The threats aren’t the point; the poignant part is the potential absence of a valuable good or state of being which we very much wish to preserve.
An absence of threats is only worthwhile if it guarantees the presence of serenity and prosperity. In the word “security” is also a promise – that you hold onto something of value and that this value might grow in the future.
Perhaps most of all, this semantic journey of ours today reveals how wayward traditional cybersecurity is from these notions; it resembles a nemesis of the security concept rather than its descendent. I hope you join me on the quest to finally realize the full potential of the security concept, to grow peaches rather than lemons52, to build a sweeter future for ourselves and all the other stakeholders in this strange system we call society.
If you liked this post and want to learn more about pursuing a better notion of cybersecurity, check out my new book Security Chaos Engineering: Sustaining Resilience in Software and Systems available at Amazon and other major retailers.
The parallels between black hole firewalls and the infosec kind must remain a discussion for another time (if time isn’t just an abstraction). ↩︎
I performed a secret, arcane ritual to win the favor of the eldritch ones towards my quest of making the word security mean something better. But the gods are capricious and so the ultimate fate of this endeavor remains unknown. ↩︎
Like any self-respecting former author of angsty teen poetry, I originally chose as my medium a “literary concept album” featuring six essays as “tracks,” all exploring the title’s provocative question: When We Say Security, What Do We Mean? But no one reads blog series so this is now a single post. ↩︎
As Hannah Arendt described of such words, “when we try to define them, they get slippery; when we talk about their meaning, nothing stays put anymore, everything begins to move.” (From The Life of the Mind) ↩︎
Arendt, H. (1981). The life of the mind: The groundbreaking investigation on how we think. HMH. (In the section “Thinking” / “The answer of Socrates”) ↩︎
“Surface” is a spatial metaphor. Yet again, there is much to unpack with the language we use to talk about cybersecurity but, to keep with the metaphor, time marches onward… ↩︎
“The truth is rather that I infect them also with the perplexity I feel myself.” – Socrates ↩︎
This may sound like a journey up one’s ass, but it’s better than being a cookie-cutter infosec ass, I assure you. ↩︎
I think the closest we get to Platonic dialogues in modern times is Ao3 fanfiction #slowbuild #lightangst #friendship #humor #confessions #aroace #college #dom/sub #drama #alpha/beta/omegadynamics ↩︎
Rorty, Mary. “Lecture 10.1: Epicurus and Lucretius.” Stanford University. http://web.stanford.edu/~mvr2j/ucsccourse/Lecture10.1.pdf ↩︎
Infosec as an entity truly exhibits a weird form of masochism that honestly becomes slightly uncomfortable to contemplate if we start untangling all the evidence in support of it. ↩︎
I am tempted to delve into the psychological concept of security and insecurity but I fear its revelations – despite being aimed at infosec as collective – would be interpreted as personal attacks. I will leave this one morsel for us to digest: the APA defines insecurity as a feeling of inadequacy, a lack of self-confidence, an inability to cope combined by general uncertainty about one’s goals, abilities, or relationships with others. To what degree does this notion of psychological insecurity accurately characterize the traditional infosec industry – its folk wisdom, zeitgeist, program priorities, prescribed procedures, policies, and so forth? ↩︎
“Our time” here is referring to the time of Socrates (the inspiration for “Secrates”), which was in the 4th century B.C.E. Therefore, the rise of asphaleia meaning the stability of the city state was around the 5th century B.C.E. ↩︎
In return, these stringent practices reinforce the status quo and uphold organizational power structures, which suits leadership just fine (and, besides, how would we expect them to know how security programs could look outside of the infosec status quo?). ↩︎
You watch the church leaders exchange influence for money, but instead of imparting the power of the Holy Spirit it’s your unfortunately unscrupulous CISO pushing some dogshit into your stack because their buddy invested in the startup and they do this back and forth and then blame the engineers or users who don’t want to interact with the dogshit for why everything is failing because nothing is your fault when you have the authority of something sacred, whether the Holy Spirit or the Security Spirit. ↩︎
I do find it interesting that when CISOs do not disclose a breach, instead laundering it through a bug bounty program, that is being “strategic” and showing security leadership, but when a software engineering team doesn’t fix a security bug immediately – no matter how contrived the exploit scenario – then they lack integrity. ↩︎
Perhaps we should be grateful there aren’t LinkedIn posts like “here’s the best way to run your sin response team #securitas #ciso #inquisition #SinSecOps. ↩︎
Wonderly, M. (2019). On the Affect of Security. philosophical topics, 47(2), 165-182. ↩︎
Intriguingly – and rather self-servingly, although I did not expect it to be so when delving into this thought exercise – the original meanings of securus and securitas align nicely with the goals of Software Resilience (aka Security Chaos Engineering (SCE)). Composure is something for which resilience strives through the practice of repeated experimentation. Resilience wants security to be quiet, it seeks to foster organizational confidence, to grant organizations the freedom to not fret about potential incidents because they feel so well-practiced through experimentation, strong feedback loops, and resilient design that they feel fearless about the inevitable. In fact, we explicitly encourage defenders to have fun with chaos experiments, getting infosec closer to that original connotation that security involves a feeling of being cheerful and bright. ↩︎
From De Officiis passage 69 (nice): “Vacandum autem omni est animi perturbatione, cum cupiditate et metu, tum etiam aegritudine et voluptate nimia et iracundia, ut tranquillitas animi et securitas adsit, quae affert cum constantiam, tum etiam dignitatem.” This translates roughly to: “But it is necessary to be freed from all disturbance of the mind, with desire and fear, and also from sickness and excessive pleasure and anger, so that there may be peace of mind and security, which brings with it constancy, as well as dignity.” ↩︎
Pop-stoicism seems to be trending among security leaders lately but we do not have time to unpack why this is so, nor its troubling implications. ↩︎
From De constantia sapientis: Nullius ergo mouebitur contumelia; omnes enim inter se differant, sapiens quidem pares illos ob aequalem stultitiam omnis putat. Nam si semel se demiserit eo ut aut iniuria moueatur aut contumelia, non poterit umquam esse securus; securitas autem proprium bonum sapientis est. This translates roughly to: “Therefore no one will be moved by insults; for although they all differ from one another, the wise indeed think that they are equal because of their equal stupidity. For if he has once humbled himself to the point of being moved either by injury or insult, he will never be able to be secure; but security is the proper good of the wise.” ↩︎
This is another case where Software Resilience (aka Security Chaos Engineering) aligns with the historic meaning of securitas better than traditional security. Resilience accepts that failure is inevitable but gains confidence from preparation. It trusts that all our preparation will help us respond gracefully to failure. ↩︎
History is not without its ironies; Nero adopted the mantle of securitas ¬– the divinity imparted by a mindset of fearlessness of death – and then ultimately died by suicide. ↩︎
Schrimm-Heins, A. (1991). Gewissheit und Sicherheit: Geschichte und Bedeutungswandel der Begriffe certitudo und securitas (Teil I). Archiv für Begriffsgeschichte, 34, 123-213. ↩︎
Of course, with a Resilience strategy, we want to foster this sort of assurance through repeated experimentation – cultivating confidence through empirical evidence affirming or denying our hypotheses about the resilience of our systems. ↩︎
Upon learning this, I immediately updated my brain dictionary lookup to display Security as a gorgeous transbian goddess whose favorite language, naturally, is Rust. I am hoping for a crossover episode in which our representative enby god, Loki, woos her by donning thigh highs made of the tendons of her enemies. ↩︎
Quis custodiet ipsos custodes? ↩︎
It was Pope Gregory I as hypeman for this interpretation and, yet again, the parallels between traditional infosec and the authoritarianism of the Catholic Church are… intriguing to say the least. ↩︎
It’s been fun watching the industry catch up to me. ~6 - 7 years ago when I was dropping spicy takes about how bullshit “gotchya” security tests are (along with a bunch of other behavioral science-informed takes), I got a ton of pushback and usually vitrol. BuT ReAL aTTaCkErS dOn’T CaRe AbOuT fEeLinGs. Many of those same people now launder those takes and pretend like they were always on board. There’s probably a post in itself about the adoption cycle of hot takes where, at the beginning, people bristle because it’s new and bold and different but eventually it’s accepted enough that it’s worth changing your beliefs and evangelizing it to look “thought leadering.” Hopefully one day I’ll be similarly vindicated with my (still wildly unpopular) take that “DevSecOps” is an unnecessary and harmful term. ↩︎
Hobbes, with the benefit of hindsight and historical documentation, viewed the Peloponnesian War as a civil war among the Greek people. It seems at the time it was not perceived that way by Athens, its allies, or its enemies. The Persians were the starkest “other” throughout much of ancient Greek history, but by the time of the Peoponnesian War, the Persian “threat” was more like a distant, hazy shadow. Thus, the “other” from Athens’ perspective was other city-states, including its own allies who they feared would betray them (which they did, although “betray” perhaps is not the best characterization of the affair). ↩︎
I promise I did not make this name up. ↩︎
Bridging the Developer and Security Divide, VMWare, Forrester Research (2021) ↩︎
UN-Water, 2013. Water security and the global water agenda—A UN- Water analytical brief . Hamilton: United Nations University. See also: https://www.unwater.org/publications/water-security-infographic/ ↩︎
Social Security: Origin of the Term at https://socialwelfare.library.vcu.edu/social-security/social-security-origin-of-the-term/ ↩︎
Christie, R., & Amitav, A. (2008). Human security research: progress, limitations and new directions (pp. 11-08). Working Paper. Centre for Governance and International Affairs. http://www.bris.ac.uk/media-library/sites/spais/migrated/documents/christiearcharya1108.pdf ↩︎
Heidegger, M. (1977). The question concerning technology. New York, 214. https://www2.hawaii.edu/~freeman/courses/phil394/The%20Question%20Concerning%20Technology.pdf ↩︎
It also brings us to one of my favorite book quotes: “In the information society, nobody thinks. We expected to banish paper, but we actually banished thought.” (said by Ian Malcolm in Jurassic Park by Michael Crichton). ↩︎
“Security is ambiguous and elastic in its meaning.” – Art, 1993 ↩︎
Wolfers, A. (1962). Discord and collaboration: essays on international politics. Baltimore: Johns Hopkins Press. ↩︎
Brauch, H. G. (2011). Concepts of security threats, challenges, vulnerabilities and risks. In Coping with global environmental change, disasters and security (pp. 61-106). Springer, Berlin, Heidelberg. https://link.springer.com/content/pdf/10.1007/978-3-642-17776-7_2.pdf ↩︎
Yet again, this is a dynamic Software Resilience (aka Security Chaos Engineering (SCE)) is seeking to change. ↩︎
Waldron, J. (2006). Safety and security. Neb. L. Rev., 85, 454. ↩︎
Luhmann, N. (2018). Trust and power. John Wiley & Sons. ↩︎
I have much, much more to say on this topic (inspired by this paper: Power, M. (2009). The risk management of nothing. Accounting, organizations and society, 34(6-7), 849-855.) ↩︎
Surprise, surprise, Software Resilience (aka Security Chaos Engineering (SCE) is aligned with the vibe of earning respect. ↩︎
Arenas, J. F. M. (2008). From Homer to Hobbes and Beyond—Aspects of ’security’ in the European Tradition. In Globalization and environmental challenges (pp. 263-277). Springer, Berlin, Heidelberg. ↩︎