Security is not a switch

It would be nice if there existed a straightforward security solution for every security problem in the world. Unfortunately, security is not that simple. Managing your security requires that you recognize an important point: security is not a switch that reads either “on” or “off”.

Security is a matter of degrees, and it involves tradeoffs. Perfect security doesn’t exist, but you can almost always be more secure than you are now. And once you’ve made yourself more secure, you could choose to become more secure still. That’s the matter of degrees.

Wherever you stand on the security spectrum, then, you can spend more time and more money in an effort to gain greater security. That’s why the level of security you eventually decide on involves tradeoffs. Ideally, your chosen level of security should correspond to the value of what you want to protect. For example, you should put more time and effort into protecting your bank account password than into protecting an average hotmail account (unless the account contains some really valuable information!).

How secure do you need to be?

So, if you need to make tradeoffs and can never be perfectly secure, how far should you go? How much should you spend in terms of time and money to protect yourself?

In coming to an answer, I’m reminded of an old joke that starts with two friends running from a hungry bear. The bear is closing the gap quickly. One friend turns to the other and screams, “We’ll never outrun him! What should we do?” The other shouts back, “I don’t have to outrun the bear. I only need to outrun you!”

The advice on this website follows a similar strategy (with respect to security, not bears). It provides you with the techniques you need to be more secure than average without overdoing it. As long as you are protecting the same things most other people are protecting – say, a bank account, email account, and private data on a personal computer – you need only make yourself more secure than the average person to be fairly well protected.

The reason is straightforward: Criminals trying to steal information are (usually) perfectly content to dine on the easiest prey. It turns out that you don’t need to spend an incredible amount of money and effort to be secure, because the average person spends almost none of either thinking about or acting on security issues.

That’s good news (for you, not those other hapless souls), and it should help guide your thinking about the degree of security you want and the tradeoffs you’re willing to make to get it.


  1. Comment by Goldilocks — 15 February 2007 @ 11:41 am

    Interesting perspective. Would you suggest those two friends buy a can of bear spray and forgo the whole issue? The average person seems to splurge on Norton or something of the like since it is well known the internet is full of lions and tigers and bears. You’ve charged such a program as bloated, though is it one way to get the job done without having to worry about anything?
    I have never had an intrusion and attribute my safety to the juggernaut Norton Antivirus suite. All while venturing into the deepest and darkest realms of the interweb (for the treats me and most other people generally don’t admit using the web for) and living on a LAN. Can you describe how to mitigate the threats of booby traps on the web and is there a way to tell when I’ve been violated? Are most security threats on the information superhighway traps set up along the way? How do IP addresses work, and how do they relate to one’s security and privacy (am I leaving a trail of bread crumbs for the bear to follow)? Do security programs integrate into any web browser or bypass them completely? With your praise for the fox on fire browser, am I just as safe using it as Micro’s conquistador? i.e. Norton 2k7 adds certain toolbars to IE and displays the user’s current security status. Would using Firefox compromise the way Norton handles security threats while using the Internet since there are no such indicators on the other browser?
    Thanks mate

  2. Comment by Ian Saxon — 21 February 2007 @ 2:40 am

    Hi Goldilocks,

    Wow, quite a list of questions. I’ll do my best to answer each of them.

    1. Is Norton Antivirus Suite (and other juggernaut security software suites) good for “installing and forgetting”? Answer: I’ve always felt that most security programs give the impression that they do more than they actually do without user intervention. I’ve helped many friends who had installed Norton or McAfee (and many other antivirus programs) and subsequently expressed surprise when they got multiple viruses. The reason is that installing a security program is not enough – you need to actively update and scan in order for it to be effective.

    While some Antivirus programs claim to be able to detect viruses “on the fly,” or proactively, programs often don’t detect viruses before they’ve installed because the “active” detection feature is simply not as thorough and capable as manual scans. You also need to ensure that your antivirus program is kept up to date with virus definitions – something that is usually done automatically but can be easily switched off by accident. Which brings me to another point: many antivirus programs (Norton included, in my opinion) train people to click away alerts and warnings without reading them because the warnings come so often and become annoying. So, even if Norton is trying to keep you protected, you can easily bypass its protection out of impatience and frustration (not a slight against you personally – I’ve done the same thing many times). Thus, some of the best antivirus programs are the simplest and least feature packed, because users pay more heed to their warnings and understand that they must take an active role in security.

    Also, while most virus scanners do a reasonable job locating and purging viruses, many are lackluster at eliminating spyware and adware. You need anti-spyware and anti-adware programs in addition to your virus scanner. While some security suites have started building anti-spyware and anti-adware features in, they’re often not as good as standalone products that have been around for several years.

    2. How can you mitigate threats on the web? Answer: This topic is the meat of this blog, so, for lack of space, I can’t provide a complete answer in the comments section. Here’s my best attempt at a summary: use a secure web browser (I recommend Firefox for reasons discussed here; install a trustworthy antivirus program and anti-spyware program/anti-adware program and update and scan often (once a week when your computer appears healthy, but several times a day after you become infected, until you are confident the infection is gone); and ruthlessly scan (before opening!) documents, programs, and anything else that you download onto your computer from someone else’s computer, from the internet, or from a disk. These measures prevent the vast majority of infections from viruses and spyware.

    3. How can you know when you’ve been violated? Answer: you can’t always know. The best viruses and spyware programs won’t alert you to their presence – they’ll happily siphon off your passwords and browsing habits to third parties without your knowing it. However, after a plethora of viruses or spyware programs gain a foothold, your computer will likely slow down and begin behaving strangely (shutting down unexpectedly, throwing pop-ups onto your screen, etc.). Since it’s not always possible to know when you’re infected, scanning often is vital.

    4. How do IP addresses work (and do they allow web sites to follow you and target you)? Answer: IP addresses identify your computer while you are surfing the web. Individual web sites you visit have access to your IP information unless you use an IP masking service. However, I think it’s fairly difficult to track your usage across many websites unless all of the website owners get together and share their IP traffic data. In my opinion, cookies and IP tracking are not terribly serious threats. The more serious problem is a spyware application that resides on your computer and monitors every web site you visit and password you type before sending the information to a third party. This is why high quality virus and anti-spyware scanners are so important.

    5. Do security programs integrate into any web browser or bypass them completely? Answer: some suites integrate into browsers, mostly Internet Explorer because it’s the most used. I don’t know off-hand of any security suite that bolsters Firefox. Fortunately, Firefox is extremely safe and isn’t especially in need of assistance. Internet Explorer 6, by contrast, was so shoddy that it needed all the help it could get. IE7 is much improved, so if you’re still using IE6 I encourage you to make the upgrade. If you’re considering using Firefox, don’t be dismayed that Norton (or whatever program) doesn’t have an integrated toolbar in the browser – it doesn’t mean that Firefox or your computer will be less secure as a result. If anything, it’s a measure of Firefox’s excellent security (and, of course, lesser market penetration) that security suites don’t feel the need to fix it up.

    Hope that helps.


  3. Pingback by Best of DtheK | Defending The Kingdom: Security and Privacy in Your Digital Life — 23 June 2008 @ 8:05 pm

    […] How to think about security problems as a compromise between security and effort spent getting it. addthis_url = ‘’; addthis_title = ‘Best+of+DtheK’; addthis_pub = ”; […]

  4. Pingback by Macs don’t get viruses, right? | Defending The Kingdom: Security and Privacy in Your Digital Life — 14 November 2009 @ 9:24 pm

    […] always, there is no such thing as perfect security. var addthis_pub = ”; var addthis_language = ‘en’;var addthis_options = ’email, favorites, digg, […]

  5. Pingback by Shop online safely | Defending The Kingdom: Security and Privacy in Your Digital Life — 29 November 2010 @ 3:13 am

    […] to something marginally more complex than the typical internet user’s password makes you an undesirable target, doing a bit of research on the net makes you vastly less likely to fall victim to an e-commerce […]

  6. Comment by Lillah — 10 April 2011 @ 9:38 pm

    sbM0rs That’s 2 clever by half and 2×2 clever 4 me. Thanks!

  7. Pingback by Password length: go longer? | Defending The Kingdom: Security and Privacy in Your Digital Life — 4 November 2011 @ 12:39 am

    […] blog has always taken the pragmatic route to security, recognizing that there will always be a tradeoff between security and time and money. In other words, don’t worry about being 100% safe — instead, focus on being safer than […]

RSS feed for comments on this post. TrackBack URI

Leave a comment