Catch Denim Group at RSA – Booth 3440

Perceived vs. Substantive Security

A well known safety issue in the ITS world is the notion of perceived vs. substantive safety. Essentially, perceived safety refers to how safe a person feels, generally due to an external tool or measure such as a seatbelt, airbag or a “five-star” crash safety rating. Substantive safety is how safe a person actually is. These often go hand-in-hand (an airbag has both perceived and substantive safety), but conflict arises when a tool’s safety is more perceived than substantive (an airbag is meant to be supplementary to a seatbelt, but most drivers believe that they will walk away from an accident with an airbag alone, which is not the case).

Another example of perceived safety versus substantive safety is the traffic signal vs. the roundabout. Traffic signals are perceived as safer because an observer (in this case, an inductor loop or CCTV camera) controls the flow of traffic. Because the observer can be ignored (i.e., a vehicle running a red light—more than a daily occurrence) but still trusted (“my light was green!”), this can increase the likelihood of avoidable traffic crashes. Traffic roundabouts have a generally favorable safety record because drivers still have to pay attention to oncoming vehicles. However, drivers in a community often push back on roundabouts because they often make drivers nervous because it requires everyone to be an observer. The accepted view is that traffic signals would be much safer if the caution drivers displayed at a roundabout was applied. Without sound judgment, a tool will only help so much.

Similarly, there is a distinction perceived vs. substantive security, where the analogy above is fitting. An admittedly simplified example would be antivirus software as the traffic signal vs. security policy as the roundabout. In this instance, the antivirus software is the observer and well trusted. However, the perceived level of security is much higher than its substantive security (for example, its ability to handle “zero-day” threats is minimal, among others deficiencies, most of which home users are unaware of). The observer can be ignored—in this case, not paid attention to or pushed to its extreme by using poor judgment when visiting seedier web sites opening strange attachments. Nevertheless, it is still trusted (“How could I possibly I get a virus when I clicked ‘InstallSneakyVirus.exe’? I have antivirus software!”). Relying on the tool alone can increase the likelihood of avoidable malicious attacks. Security policy alone, however, would make any IT professional nervous. If the policy is accurate and strictly enforced (which is a monumental task in itself) and the threat of a virus is in the forefront of the user (as the threat of a traffic accident would be in a driver), then this can be much more effective because it requires each person to be an observer, and thus take greater care in the activities they pursue.

Moreover, just like in using the roundabout caution with the traffic signal, enforcing strong security policies with antivirus software is better than either the security policy or antivirus software alone. For home users, this may mean using Norton Antivirus and not clicking links from unknown/untrusted sources. For enterprise environments, this may mean using all the weapons at your disposal, including white- or graylisting, packet filtering, firewalls, intrusion detection, hardware lockdown, and other policies that protect the integrity of your enterprise (and of course, installing/using antivirus software as well). After all, it’s better to be (substantively) safe than (substantively) sorry.

—Erhan K.

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

2 Responses to “Perceived vs. Substantive Security”

  1. about buying web traffic

    Good post. I learn something new and challenging on sites I stumbleupon on a daily basis. It will always be exciting to read through articles from other writers and practice a little something from their sites.

  2. Learn about Walk Through Metal Detector

    I loved as much as you’ll receive carried out right here. The sketch is attractive, your authored material stylish. nonetheless, you command get got an nervousness over that you wish be delivering the following. unwell unquestionably come more formerly again as exactly the same nearly a lot often inside case you shield this increase.

Leave a Reply

Your email address will not be published. Required fields are marked *