Browsing through the program for the RSA Conference next week, I see a talk by Bruce Scheneier entitled "Why security has so little to do with security". The title certainly resonates with me. The word "security", in an information security context, is often used in an all-encompassing sense which includes management (as in access management, identity management), business continiuty defense against denial-of-service, and encryption. This goes beyond what "security" tends to mean in everyday English. But sometimes, in information security, "security" is just used to mean encryption [partly as a result of Bruce Scheneier's Applied Cryptography book]. And this narrow cryptography definition is much narrower than how "security" is used in everyday English.
I think language is the issue here. I find it interesting that in German, the words for "security" and "certainty" (sicherheit, literally "sureness") are the same. In French, the words for "safety" and "security" are the same (sûreté, again literally "sureness"). So, in those languages, "security" has a broad definition, incorporating senses of dependability, management, and safety. I can see how the French and German words fit with the broad information security concepts of business continuity, "management" (access management, identity management), and "safety" that users (and their data) will be protected.
This had been a pet theory of mine for a while, but then I read something similar in the BBC's "Letter from Europe" column last month:
A friend and colleague who is annoyingly fluent in half a dozen languages notices the growth of something he calls "Brussels English". One example he gives is the persistent use of "security" to mean "safety", perhaps because in French and German they are the same word. This habit has evidently spread to England too. He cites an example at Waterloo Station, which requests that people put their hot drinks down while going through the ticket barrier "for their own security". But surely it is their safety, not security, that is at risk?
But that sets me musing on whether this is a reaction to a rather modern use of the word "security" in English. When did it first acquire its current meaning in English? Wartime? When did "security guards" first enter the language?
In XML security, Vordel's area, the security we provide goes much beyond cryptography, into the areas of management (access control, reporting on traffic), availability and dependability (monitoring service level agreements), and safety (ensuring data is protected). That is, encompassing the broader French and German meanings of "security" than just the more narrow English language usage.
I'll try to get there early to get a seat for Bruce Schneier's talk. Usually I end up sitting on the floor near the door, since his RSA talks are always very popular.