A standard first dictionary definition of security is freedom from danger. Danger or threat, as it is often labeled, has to be present or assumed to be present otherwise there is no need for security. In recent years, threat has conventionally been defined by security professionals as the sum of the opposition’s capability, intent (will), and opportunity, and can be expressed thus:
Threat = Capability + Intent (will) + Opportunity
Indeed, without a capability, an attack cannot take place. An
attacker must possess a specific capability for a specific attack. For instance, the Afghan Taliban cannot carry out a nuclear missile attack on the United States even if they have full intent and an opportunity. Intent or will is also a necessary ingredient. North Korea has the capability for a nuclear strike on South Korea, but many factors keep their will in check. Similarly, Iran may have a capability to attack a defenseless American recreational sailboat in its territorial waters, and be perfectly
willing to do so, but American recreational sailors just do not go there, providing no opportunity.
Furthermore, applying this formula usually does not produce precise results since ingredients such as capability and opportunity are usually not known exactly and often are just assumed. A classic example of this is the infamous case of Iraq’s weapons of mass destruction as justification of the last Iraq war.
The first recorded breach of security occurred in the Garden of
Eden. Apparently, there was a sense of threat, and Cherubim guarding it with flaming swords were the security measures taken. However, the security measures were insufficient, and that allowed the serpent to infiltrate the Garden of Eden and do his ungodly deed.
In fact, there is no perfect security. We can only provide degrees of protection (i.e., if there is a threat, risk is always present, though its level may vary. Often this is reflected in the statement that risk is a combination of threat and vulnerability:
Risk = Threat + Vulnerability
This looks logical since vulnerability means exposure to a certain
threat. This also leads to the assertion that:
Vulnerability is a deficiency of protection against a specific
attack.
A reasonably comprehensive definition of security would probably
be something like:
A set of measures that eliminate, or at least alleviate the
probability of destruction, theft, or damage to a being, an object, a process, or data, including the revelation of a process, or of the
content of information.