# Security summarized Security, by its design, is keeping specific assets [safe](safety.md) by preventing actions from happening that would adversely affect those assets. To that end, every secure thing has to have the following questions answered: 1. *Who or what*, exactly, is the asset being protected? 2. *Who or what*, approximately, could damage or destroy #1? 3. *How* would #2 happen? 4. *What or how* can #3 be stopped? We simply don't know the sources of what would harm our assets (#2) without [experience](understanding.md) or [education](education.md), but it's easy to [imagine](imagination.md) we do: - It's impossible to know about risks you couldn't have been exposed to, but it's easy to imagine our [fears](mind-feelings-fear.md) in that direction. - [Risk management has many domains](safety-riskmgmt.md), and confidence in one [specialization](jobs-specialization.md) can lead to presuming aptitude in other domains. - If we have particularly strong [trust issues](trust.md), we may not believe that others could be more specialized in managing those risks than we can do ourselves. In practice, knowing how things could be infiltrated (#3) is *not* conducive to [mental wellness](mind-feelings-happiness-focus.md) or [a meaningful life](goodlife.md) beyond a certain point: - 1-10% of society provides any legitimate risks to assets, and the rest of the people would never even *think* of doing anything adverse to it. - Dwelling on security risks beyond necessity almost guarantees you'll transfer an appropriately heavy-handed approach to a minority of people toward everyone else. The domains of security break apart into many other subdomains: - [Law enforcement](legal-safety.md) protects against the violation of a nation's [rules](people-rules.md). - Private security protects against their [clients](people-6_contracts.md) or their possessions. - [Cybersecurity](computers-cysec.md) is the protection of adverse events involving [computers](computers.md), which can range from [encryption](encryption.md) to [group policies](computers-cysec-compliance.md). - Personal security involves protecting yourself and your possessions. - Locks and their mechanisms protect against breaches of physical things. - Most domains of [risk management](safety-riskmgmt.md) are [specialized](jobs-specialization.md) towards at least *some* aspect of the philosophies driving a security mindset. The principle of deterrence is to provide enough risks against bad actors (e.g., automatically notifies the police) that they would reconsider acting. - Anyone sufficiently motivated and sufficiently skilled, however, can still steal or destroy anything they want. - The objective, therefore, is not to be *completely* secure, since that can't happen. Instead, there are two large-scale objectives for any secure system: 1. Motivate the bad actor to perform action against a neighboring victim (e.g., a chain-link fence versus the neighbor having no fence). 2. Minimize the scope of possible destruction or theft from the bad actor (e.g., a different locked door for each room). In particular, events that are both incredibly devastating and extremely unlikely are important to consider, but most people don't think about it: - We can often be so preoccupied with [a project's status and deadlines](mgmt-4_status.md) that we forget about what happens if we *do* succeed. - In many domains, the "ready, fire, aim" approach will be the most likely to get to market, and therefore [succeed against competitors](entrepreneur-3_plan.md). - Unless you're in a high-risk area, security systems cost money immediately, but it rarely provides any short-term benefit, especially against competitors. - The only way to allow security to work as part of the organization's mission (rather than against it) is to have safety or security as part of its [core values](mgmt-6_morale.md) or [marketing](marketing.md). It's difficult to gauge the effectiveness of a security system, for several reasons: 1. If it's obvious that they exist, their very existence may deter bad actors. 2. Their system will only be proven effective when the risk is too great to take the chance. This can be offset partially by intentionally hiring bad actors to attempt an infiltration (e.g., [Pentesters](computers-cysec-pentest.md)), but that's only dependent on the intelligence and skill of those infiltrators. ## General principles Record absolutely everything, and keep several copies safety stored away from public access. Understand the domains you wish to keep safe, and delegate anything you don't understand to an expert. Absolutely *every* piece of tangible information can present a security risk. - Knowledge of small details (e.g., favorite sports team, hometown) can lead to further information (known associates in a photo, medical records). Always communicate the presence of a security system. Only communicate the threat of the security system, but not its specifics. - Knowledge of a particular system can lead to knowledge of that system's procedures. ## Personal security Besides keeping yourself safe, personal security arrangements also have the side effect of more effective [legal protections](legal-safety.md) as well. Avoid public intoxication or inebriation. Have security-enforcing items *before* you need to use it. - Use a low-profile money belt or anti-theft bag. - Never carry large sums of cash on your person, and never all at once. - Place interested parties in an emergency on speed-dial. - Wear bio-monitors that send automatic updates to interested parties. - Consider investing in a body camera and dash cam for your [automotive](autos.md). - Get at least a few more locks than you technically need. - Test every lock or safe before using it. - If you're particularly high-profile, consider getting body armor under your shirt. Beyond the equipment, most personal security comes from practicing healthy [habits](https://adequate.life/habits/). - Before traveling around a city, note the comparative crime statistics relative to other parts of that region. - Crime statistics are effectively worthless large-scale (since they only determine crimes *recorded* and not the actual number of crimes), but law enforcement have similar mindsets to fishermen: go where the likely events will happen. - When entering a new room, do a quick sweep of all potential risks. - Note all entry and exit points. - Consider anything that could be used to incite violent action (e.g., flammable objects). - When in a domicile, stay prepared. - Make sure the locks and peephole work properly. - Don't let strangers into your place, even if they state they have official permission. - Learn [specific ways to be safe from other people](safety-security-specific.md). If you're seriously committed, learn a working knowledge of an unarmed martial art.