Computer security – a layperson ’ s guide , from the bottom up Karen

Computer security as a technical matter is complex, and opaque for those who are not themselves computer professionals but who encounter, or are ultimately responsible for, computer systems. This paper presents the essentials of computer security in non-technical terms, with the aim of helping people affected by computer systems to understand what security is about and to withstand the blinding with science mantras that too often obscure the real issues. Computer security is about several things. Thus security is (1) stopping outsiders destroying systems by virus or denial of service attacks; (2) stopping invaders perverting systems by hacking into controls or data; (3) stopping insiders using systems in ways their designers did not intend. This note is primarily about (3). It is not about (1), but in large and amorphous organisations (like governments) doing (3) properly means attending to (2) as well. Security in sense (3) depends on policy. The purpose of this note is to show that effective security policy requires attention to computational realities, i.e. to what sorts of things can be done by technical means and, more importantly, to what cannot. Computer security depends, critically, on people, and the principles involved are independent of technological detail.