CHAPTER 7

Security and Risk

The task of security has evolved rapidly in an interconnected age. Where previously police and private forces had to protect physical assets with fences, locks, and other tangible efforts, now both threats and assets can be ephemeral and distributed. Networks of networks introduce redundancy (as in a power grid, where the local generating plant no longer constitutes a single point of failure), but they also introduce unprecedented levels of complexity. That complexity underlies all considerations of security, which has moved from obvious efforts to protect things and people from harm (in the ways just mentioned) to become a maze of cost-benefit-risk considerations. Those calculations are complicated by humans' completely predictable inability to assess risk rationally.

Considered as a sociotechnical system of people and technologies interacting in both directions, the discipline of security must be conducted very differently as compared to local efforts of a constabulary or parking lot guard. Thus, our focus here is on the managerial imperatives rather than on the techniques of perimeter protection, intrusion detection, firewall selection and configuration, password resets, and other activities that often constitute the focus of the discipline. In short, mastering the domains of costs (hard and soft), benefits, and risks requires new skills, new metrics, and new attitudes compared to the practice of physical security conducted in local settings.

Landscape ...