Tripwire’s Architecture Team has been working hard on the future lately, and while today’s post has little to do with anything we’re productizing, it’s a bit on the philosophical side. Essentially, the work we’ve been doing lately has caused me to think about what it is we secure and why we secure it.
This industry is sometimes called “information security.” We talk a lot about “information” and how to protect it. Essentially, protecting information is protecting some specific set of data, and being able to protect that data in a prioritized manner requires understanding the information that data embodies.
Why stop at information? After all, there’s the (somewhat contested) view that there exists data, information, knowledge, and finally wisdom. Given the objection to the DIKW pyramid, using the term “knowledge” is still beneficial at this point to capture the fact that adding pieces of information can yeild some higher meaning. So we can say that a set of information embodies knowledge. Today, we don’t have the concept of “knowledge security,” but should we begin considering that moving forward? Given that we are moving, quite quickly, into a knowledge-based orientation, what are the implications for “information security?” Are there any? Does this perspective even matter?
Let’s look at the big data wave as an example. It’s actively seeking to mine pretty much everything including and between static, structured information and dynamic, unstructured information. Big Data seeks to mine information in search of answers. And, when that information means something, we might refer to it’s meaning as knowledge – the information, along with some axiomatic understanding, is knowledge.
Well, crap, how do you secure knowledge? Is there a need to secure knowledge or should we put on the brakes and just get better at securing information first? I don’t know, but from a certain perspective, understanding which pieces of information add up to important knowledge might be beneficial to prioritizing – perhaps as a complement to risk management (especially asset categorization/classification).
Or, maybe we should just stick with learning to do information security better. After all, if we can’t provide reasonable security at the host level, then what business would we have trying to secure the subset of the assets on that host comprising some piece of knowledge?