Understanding the context of security depends heavily on the perspective or position of the person involved in the security process, such as those implementing, using, or prescribing security controls. Different security positions, often referred to as “security logics,” shape how individuals or organizations experience and understand security controls. These perspectives can significantly influence the design, implementation, and effectiveness of security measures.
Top-down Perspective – A Default Position
The “Top-down Perspective” is often the default position taken by those in authority, such as policymakers, managers, or security professionals who are responsible for setting security controls. This perspective is characterized by a centralized approach to security, where decisions are made at higher levels of an organization and then imposed on others. The focus is on compliance, risk management, and ensuring that security policies and procedures are followed. The advantage of this perspective is that it provides a structured and standardized approach to security, which can be easier to manage and enforce across an organization.
However, the top-down perspective may overlook the practical realities and challenges faced by those who are required to implement these controls at the operational level. It can lead to a disconnect between policy and practice, where security measures are seen as burdensome or irrelevant by the end-users, resulting in poor compliance or even resistance.
Bottom-up Perspective – An Operational View
In contrast to the top-down perspective, the “Bottom-up Perspective” focuses on the experiences and needs of the individuals who are directly impacted by security controls. This perspective is more operational and considers how security measures affect day-to-day activities. Those who adopt a bottom-up perspective are often more concerned with the usability and practicality of security controls. They may prioritize ease of use, flexibility, and the ability to adapt security measures to specific circumstances.
While the bottom-up perspective offers valuable insights into how security controls function in practice, it may also lead to inconsistencies in how security measures are applied. Without a central guiding framework, there is a risk of fragmented security practices that may weaken overall security posture.
Negotiated Perspective – A Collaborative Approach
The “Negotiated Perspective” represents a middle ground between the top-down and bottom-up approaches. It involves a collaborative process where security controls are discussed, negotiated, and agreed upon by all stakeholders. This perspective acknowledges that both high-level security policies and the practical realities of implementation need to be considered. The negotiated perspective is characterized by communication, flexibility, and compromise, aiming to find a balance that satisfies both the requirements of security management and the needs of those implementing the controls.
By incorporating multiple viewpoints, the negotiated perspective can lead to more effective and widely accepted security controls. However, the process of negotiation can be time-consuming and may require ongoing effort to maintain alignment between different stakeholders.
Concluding Comments
Understanding these different security positions is crucial for developing and implementing effective security controls. Each perspective offers unique insights and challenges, and the most successful security strategies often incorporate elements from all three. By recognizing the diverse ways in which security controls are experienced and understood, security professionals can design more inclusive and effective security measures that are better aligned with the needs and expectations of all stakeholders.
For further reading on these perspectives and how they shape security practices, you can refer to Lizzie Coles-Kemp’s work, specifically Chapter 4 of her article in “Inclusive Security: Digital Security Meets Web Science.” This chapter provides a comprehensive exploration of the different security logics and their implications for security design and implementation.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.