2
reducible to or completely explicable in terms of individuals' behaviour (see emergence). Semantic
holism denies the claim that all meaningful statements about large-scale social phenomena (e.g., “The
industrial revolution resulted in urbanization”) can be translated without residue into statements about
the actions, attitudes, relations, and circumstances of individuals. –
Encyclopedia Britannica Online
What we will find out is that anytime security is viewed as something other than a holistic enterprise,
mistakes can undermine overall security. In short, when we treat security as a holistic enterprise, we
find the following:
•
People are the problem
•
People are the solution
•
Security technology can help people make good decisions about security
•
Security technology can help when people do not make good decisions about security
•
Decisions made by people can render security technology ineffective
A character in a famous movie had the words: “Those who build on people build on mud” right
before he met his demise. He was wrong because he underestimated the intense loyalty that a
person can feel towards another person. Returning to security, we can paraphrase a more correct
saying: “Those who deploy security technology without regard to people builds on mud”.
Actually, talking about a specific security technology under the umbrella of the label “Security” is a
type of mistake. Let’s look at what is called a category mistake.
Category Mistake
The philosopher Gilbert Ryle formally introduced the concept of applying a macro term to a micro
entity as a type of mistake – specifically, the category mistake. A common example of a category
mistake is when a tour of a university is given to a new student. The tour guide takes the new student
around the various buildings – the “school of engineering”, the library, and so on. After the tour is
over, the new student says something to the effect of “that was all very nice, but where is the
university?” The new student has made a category mistake – they assumed the university was a
building (micro) rather than a series of buildings under a common goal or theme (macro).
A similar example can be made with automobiles. Let’s assume that you are an automobile mechanic
and that you have completely taken apart your car in your workshop. You tell your three-year-old son
to come look at Daddy’s automobile. After viewing the driveline, then engine, the wheels, and all the
various parts of the automobile, your son asks: “But Daddy, where is your automobile?” Your son has
made a category mistake.
Security analysts and consultants often make the exact same mistake without realizing it. Continuing
with our automobile example, instead of labeling the automobile parts by their common names, let’s
label them SSL/TLS, Web Services, AES, and so on. A security consultant/developer/analyst making
a category mistake will often stop at SSL/TLS and claim that they have found security. This behavior
is equivalent to holding up a driveline of an automobile and claiming to have found the automobile.
Everyone reading should repeat the following to themselves:
•
Security is not a cryptographic algorithm
•
Security is not a network protocol
•
Security is not encryption
These are all category mistakes. Security is a holistic enterprise involving people, processes,
technology, and how they all interact. Sometimes that is hard to understand and can also be a bit
intimidating. With such a definition, how do you know where to start? For example, if you were the