Enough Already – Stop misusing the word “Assurance”
Back in 2007, I heard a speaker talk about planned updates to an ISO standard. In his presentation, he indicated that one of his colleagues had asked him to update the ISO standard to include language on “Information Assurance.” To make a long story short, the ISO standards couldn’t accommodate an update if assurance meant “Security.” However, too often, we find that entire federal departments say the word “Assurance” when they mean “Security.” The Defense Department is the worst offender.
Dictionary.com says this:
- Assurance – a positive declaration intended to give confidence.
- Security – freedom from danger, risk, etc.
This problem is almost as old as the Unix operating system. Back then, some bright people in the intelligence community began using the term “assurance” because a purist engineer told them that no computer could truly be labeled “secure.” Obviously, this happened in the days before “portable computers” or “Service Oriented Architecture,” but I digress.
Instead of saying “secure systems,” they said “assured systems” (which was a condensation of “security assured systems”) to please the theoreticians and an entire industry grew up to support this thing they call “assurance.” It was further shortened to “information assurance” at some point in the 1990’s.
Fast forward to the 21st Century and we find that many aspects of computing must be assured. Safety assurance is important, as is reliability assurance. If we travel from “The Beltway” to “The City,” we must stop saying “assurance” and start saying “security.” If you’re starting to feel like an edge router, you’re not alone.
All of this might be entertaining, if there wasn’t a real underlying problem with the misuse of this term. It turns out that saying security when we mean security helps us to balance risks. If assurance only means security assurance, how can we do tradeoffs between security and safety? Can we ever have safety assurance if every one of our software developers is looking over his or her shoulder at the security group? Even if we could, could we teach a computer to understand the nuance?
For example, how would you interpret the following business requirement? “The system must provide high assurance for all valve management safety processes.” If you read ISO 15226, it means that the safety systems have to work. If you read the SOAR report or any of the major DoD Assurance directives, it means that your safety systems should not have read up or write down. These are two fundamentally different things.
So let’s begin reclaiming the language that our global audience understands. When you want security – say security.
Jim Molini, CISSP, CSSLP
