Think about trust, not threats

A conversation arose today about threat analysis and I responded that I am against this practice of doing threat analysis. I thought that others will benefit from reminding them about design goals and how security fits in them.

Threat – countermeasure is easy to explain to a novice but produces very ugly and inefficient systems. Just observe the laptops and devices you use and how irritating security often is.

In the military aerospace we have done many studies on this subject.

In the military we used threat modelling for external defenses, for example against terrorists, now against terrorists with drones.

For the systems engineering we used trust model with the focus on integrity.

The reason for that is that in the military, life (and in military aerospace life of the entire planet) depends on quick and correct decisions. Ergonomics and quick decision making are the primary design goals. Security must not interfere with efficient decision making. Ergonomics must support quick decisions without requiring to figure out how the system works.

In the military, we had simulated practicing, for example a team of 3 people would collaboratively, each responsible for his subsystem that affected performance of the other two people, control a complex system (think a nuclear submarine) where failure of any person would lead to a failure of the mission – and all that under extreme stress, for example time limitation. Add to this simulation communication with the external teams and systems and overlay security for the system and for the communication channel.

That efficiency becomes the design goal that includes security as part of the systems engineering – and not something that is added as a countermeasure for threats.

Military security includes deception and misdirection. There are some amazing examples. In 1941 Russia built mock factories that Germans bombed while production facilities continued working intact. Recently, also Russia put a new system under the US satellite to see the response and to evaluate its capabilities and they succeeded.

At some conferences sometimes I ask the ultimate security question. This is no longer a classified information so I can say it here: Until mid-1970s anyone with physical access to a nuclear warhead and a battery pack could detonate the warhead. How would you, an engineer, secure it? Additionally, remember that it cannot explode in any accident or due to any malfunction but it still has to work correctly. There were many accidents including collisions of the nuclear submarines, even recently. Here’s a test of your understanding of security engineering.

There are other systems that must be secure, and they are secure.

One more important thing here. Security is not reliability. This is vital to understand: we do not know how to build 100% reliable systems; we only know how to manage risk – your system will fail, and your design must ensure that it fails in a predictable way. Your system must be able to adapt and to survive. You must design and build your system for failure!

I said it before: Do not conform and question everything!


From one of my slides:

Think about trust, not threats

  • Think about trust, not threats. Think about usability and efficiency as attributes of your security architecture. Security has to be transparent to the user of your system.
  • Threat analysis is like focus on sickness and not focus on “wellness” (ongoing integrity of the whole system).
  • Threats -> Countermeasures -> External to the System
  • Trust -> Human Emotion -> Connection & Happiness

I shared this FBI training video before. It puts security in perspective.

Physical Security: An Ever Changing Mission: 1996 Federal Law Enforcement Training Center

This video provides an overview of the evolution of physical security measures, due to increased criminal activity, and outlines pro-active strategies and physical security techniques used to augment the traditional reactive responses to crime.

Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, protective barriers, locks, access control protocols, and many other techniques…

Physical security systems for protected facilities are generally intended to:

  • deter potential intruders (e.g. warning signs and perimeter markings);
  • detect intrusions and monitor/record intruders (e.g. intruder alarms and CCTV systems); and
  • trigger appropriate incident responses (e.g. by security guards and police).

It is up to security designers, architects and analysts to balance security controls against risks, taking into account the costs of specifying, developing, testing, implementing, using, managing, monitoring and maintaining the controls, along with broader issues such as aesthetics, human rights, health and safety, and societal norms or conventions. Physical access security measures that are appropriate for a high security prison or a military site may be inappropriate in an office, a home or a vehicle, although the principles are similar.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: