Tuesday, March 06, 2012

"Absolute" vs. "Perfect" Security

“Absolute security” and “perfect security” are not one and the same – the terms are not synonymous. And let’s be clear from the outset: There is no absolute security; and while perfect security may be hypothetically possible at any given moment in time, long-term perfect security is also not possible.

First, some working definitions: Absolute security is the theoretical state of total, complete and unqualified protection and safety of a given asset (some specific person, place or thing, including intellectual “things”). Perfect security is the practical state of utilizing the most appropriate security measures and strategies for a given asset at a given moment in time to protect against immediate, specific threats. A subtle but important difference.

From another perspective: Absolute security would protect against any conceivable or possible threat at all times. This condition simply cannot exist: No security program or strategy can ever totally assure that assets will not be lost or that a legal challenge to security efficacy will not be successful. Depending on a number of uncontrollable variables – such as the commitment, motivation, resources and persistence of an attacker; the inexplicable failure of a protective measure at a crucial moment; or even the whims of a jury – the best security measures may sometimes fail or be deemed to be inadequate. Nothing can be done to assure that nothing will ever happen.

On the other hand, perfect security keeps whoever/whatever is being protected safe right now, from whatever threat is occurring right now. This is attainable, albeit for limited periods of time because situations and conditions change constantly and continuously, and that which is adequate and sufficient right now may not be adequate and sufficient in a few minutes or hours or days. The best that can be hoped for – and what those responsible for security should strive for – is to control as many facets of the security strategy as possible for the longest time possible, and to monitor the strategy continually to assure that emerging threats and unanticipated failures can be best and most expediently mitigated.

As with most issues related to security, one should hope for the best while planning for the worst.