Security and safety

Pascal Cuoq - 16th Mar 2012

I usually feel uncomfortable diving into the subject of safety vs security, because while I think I have a good intuition of the difference between them, I find this difference hard to formalize in writing. Fortunately, a large “security” “administration” provides:

“We use layers of security to ensure the security of [...]” (source [removed dead link] proudly linked from here [removed dead link])

The difference between safety and security is that if the aforementioned administration was trying to ensure the safety of the traveling public then accumulating a large enough number of rubbish detection layers would work. In safety you are working against a harsh but neutral universe. It is okay simply to do your best to ensure that a safety-critical component works as designed and then to put in some redundancy and perhaps some fail-safe mechanism because you are actually multiplying probabilities of failure. Assuming your design works and naming p₁ and p₂ the (low) probabilities that the component fails and that the fail-safe fails the probability that two out of three redundant components and the fail-safe fail simultaneously is of the order of some factor of p₁²*p₂. Accumulate enough layers and you can make the overall probability of failure low enough.

And that's the difference really.

The intuition is that good protection can be obtained by accumulating imperfect layers. The intuition works well when the probabilities of failure of each layer are somewhat independent. When they are completely independent probability theory tells us that they can be multiplied. And the definition of security as opposed to safety is that when dealing with a security issue you cannot assume that the probabilities of failure of your layers are independent because all the layers tend to fail in the same conditions namely when a smart attacker is trying to get through them.

Consider layer number two in the previously linked diagram “Customs and border protection”. This means requiring the potentially dangerous visitor to fill in a form asking whether ey plans to overthrow the government during eir stay. Terrorists who fail at this layer are the same terrorists who cannot figure out how to gather arbitrary quantities of liquid explosive past security 100ml at a time or inside their bodies or not to use liquid explosives at all. Conversely and critically the very same terrorist who can figure out the latter issue can figure out the correct answer to the government-overthrowing multiple-choice question on eir applicable immigration form.

And if you are still unconvinced please consider computer security. Tons of partial protection layers have been implemented in recent years: non-executable this and randomized that. If each layer had improved computer security commensurately to its ability to thwart the average hacker we would safe browsing the “interwebs” (this is a technical term that security experts use). Unfortunately all the protection layers are only good at disarming the same hackers: the inferior ones. Each layer adds some security but not the quantity of security that intuition predicts.

Pascal Cuoq
16th Mar 2012