Thoughts on Information Safety
· @jabenninghoffLately, I’ve been thinking about the concept of Information Safety, and how it differs from Information Security. When I talk to people about the idea, especially non-security people, they typically find “safety” more appealing than “security,” but for the concept to pay off, it has to be more than just a re-branding of existing security concepts.
For me, the concept of information safety is an answer to Donn Parker’s challenge to information risk management in 2006. In his article for the ISSA Journal, “Making the Case for Replacing Risk-Based Security,” Donn observes that there are two types of problems information security: ongoing attacks that are virtual certainties, like viruses, and rare, unpredictable incidents. I agree with his observations, but disagree (somewhat) with his conclusion to use a due diligence approach – do what we have always done. For me, information safety is the approach for ongoing & certain attacks, and protection is the approach for the rare & unpredictable.
I recently came across an article published by the American Institute of Architects (by way of Wikipedia) that includes elegant definitions for both security and safety, which highlight the problems within the information security profession that demonstrate the need for a safety practice:
Safety involves whatever contributes to maintaining the “steady state” of a social and physical structure or place in terms of whatever it is intended to do. Safety connotes stability over time, continuity of function and reliability of structure.
Security is the process or means of delaying, preventing and otherwise protecting against external or internal dangers, loss, criminals, and other individuals or actions that threaten to weaken, hinder or destroy an organization’s “steady state,” and otherwise deprive it of its intended purpose for being.
For me, the notion of “steady state” is key to safety. Our current focus on security (what I call “protection”) leads us to focus on protecting against threats, while establishing and maintaining a steady state is undervalued and even neglected. We have information security organizations, but where are our information safety teams?