The OpSec Blog

Security and privacy information and advice at home and abroad.

The “Equivalence” Principle

leave a comment »

I am sure there is a formal term for the concept I’m going to explain in this post, but I don’t know what it is.  I call it the “equivalence” principle of security, and if you’re designing a technical or physical security system it’s essential that you understand what it entails.

The “Equivalence” principle simply states that each successive level of defense must contain equally resistant components. It makes no sense to install a forced entry ballistic resistant door in a plaster wall (if that were even physically possible).  Your security system must ensure that at each level no component can be identified as the weakest link.

Security engineering is often a delicate balancing act, and obeying this principle in the field is very tough.  If you under-protect something you’ve created a huge vulnerability that your enemy is sure to exploit.  If you overprotect something you’re generally wasting money, and in this new era in which budget concerns are starting to dominate every aspect of what we do, wasting government funds is, in some ways, worse for your career than getting attacked by terrorists.

The equivalence principle also has implications at home.  Don’t spend money on an expensive door lock if you’ve got standard pane glass windows right next to it. Don’t install a safe with a reinforced door in drywall that would allow an attacker to get at the weakly reinforced walls.  Consumers often make these kinds of mistakes due to marketing (which draws focus to a flashy new lock which is subsequently installed on a cheap door) or sticker shock (securing a $500 bike with a $5 padlock and chain).  If you want to protect your personal property, make sure you look at the entire picture and not what the advertisement tells you.  No one component will make a system secure.

As a physical security best practice equivalence is fairly easy.  You build the walls to spec and install the proper doors and windows and you’ve done the best you can.  Necessities like compound access control (CAC) facilities are a little more difficult, but after we learned the importance of mantraps after the Jeddah attack our embassies’ perimeters have gotten much harder to breach.  The hardlines are similarily secure; to my knowledge a modern embassy hasn’t been breached by a hostile mob ever- and the perimeter defenses usually don’t even let it get to that point.

The technical side is much more difficult.  Since the details of our technical defenses are sensitive if not outright classified I won’t be able to get into them here.  I can, however, tell you the main reason they fail:  embassy employees.  I’ll probably be saying this a lot during the time I maintain this site, but users are the bane of any security system because security is an inconvenience. If the Ambassador insists on using Skype to video chat in his or her office there’s very little anyone can or will do about it. If a Political officer decides to do official government business on an iPad (an unapproved device) it’s highly unlikely they’ll get the security violation they deserve.  Such is life as a security professional.


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: