Security Exists As A Spectrum

When I discuss security, be it online or offline, I often mention threat models and cost-benefits analysis. Unless you understand what you’re defending against it’s impossible to develop an effective defense. And if you don’t perform a cost-benefits analysis you may end up investing far more into securing something than it’s worth. The thing with threat models and cost-benefits analysis is that they’re, like security in general, subjective. This is a fact lost on many people as Tam so eloquently explained:

People buy into safety. It’s important for people to feel safe. For some reason, people view safety as a binary state and not an ongoing process. Therefore, when something comes along to remind us that we might not be as safe as we think we are, or there’s an optional activity we could undertake to improve our safety, it rustles our jimmies and we get all upset and fling poo at that thing and wave branches at it until it goes away and we can return to feeling safe. It’s why people who ride without helmets come up with all kinds of BS excuses about hearing and wind drag rather than just admitting “Hey, I’m comfortable with the extra risk of skull fractures in order to feel the wind in my hair.”

[…]

And here’s the thing: It’s okay to not wear a helmet. It’s okay to not carry a gun. It’s okay to not like the Gadget. It’s okay to open carry and not take thirty-eleven years of BJJ and weapons retention training. It’s still (mostly) a free country… *but own the types of risk you’re assuming*. Don’t hand-wave them away and shoot the messengers who point them out. Say “Look, I’m comfortable with these risks and don’t want to make the life commitments it would take to mitigate them” and most people will totally understand that.

People often get caught up in their binary view of security. This phenomenon has lead to countless discussions that were ultimately pointless. Motorcycle helmets are a classic example of this. Before donning a helmet a motorcycle rider first does some threat modeling. Usually the threats involve large four-wheel vehicles the motorcyclist has to share the road with. After identifying potential threats they then add perceived risks of encountering those threats to the model. Then they do a cost-benefits analysis. Many feel the costs of a helmet; the lack of feeling wind on their face, for example; outweigh the benefits when applied to their threat model. You can bitch at them all you want but security is subjective.

Carrying a gun is another example. I carry a gun because the costs, to me, are lower than the benefits. My manner of dress lends itself to carrying and concealing a firearm and my setup is comfortable. The benefits, for me, are having a tool available if I should happen to be attacked. Although my threat model indicates the risk of me being attacked is very low it’s still high enough to offset the low costs of carrying a gun. Somebody else may look at their threat model, which also sees the risk of being attacked as very low, and compare it to the costs of completely changing their manner of dress to conclude carrying a gun is more costly than the benefits provided. They’re not right or wrong; security isn’t binary.

As a general rule, unless it’s asked of me, I try to avoid critiquing other people’s security plans. There’s just no point unless I known what criteria they used to develop their plans. While a lack of a home alarm system may seem incredibly stupid to some people it may be more cost than its worth to somebody who has really good theft insurance.