- Soft security is not weak security.
The idea is to protect the system and its users from harm, in gentle and unobtrusive ways. The opposite of HardSecurity. It follows NonViolence. Instead of using violence, it works architecturally in defense to convince people against attacking and to LimitDamage. It works socially in offense to convince people to be friendly and to get out of the way of people adding value. S oft security is difficult. It often requires you to grow as a person, sometimes painfully so. This by itself makes it valuable.
SoftSecurity is like water. It bends under attack, only to rush in from all directions to fill the gaps. It's strong over time yet adaptable to any shape. It seeks to influence and encourage, not control and enforce.
- If nothing within you stays rigid, outward things will disclose themselves. Moving, be like water. Still, be like a mirror. Respond like an echo. -- Bruce Lee
- I made what I think is a somewhat nuanced and complicated argument about the nature of security. As such it is difficult to summarize. Basically I think that security measures of a purely technological nature, such as guns and crypto, are of real value, but that the great bulk of our security, at least in modern industrialized nations, derives from intangible factors having to do with the social fabric, which are poorly understood by just about everyone. If that is true, then those who wish to use the Internet as a tool for enhancing security, freedom, and other good things might wish to turn their efforts away from purely technical fixes and try to develop some understanding of just what the social fabric is, how it works, and how the Internet could enhance it. However this may conflict with the (absolutely reasonable and understandable) desire for privacy. -- NealStephenson, ComputersFreedomAndPrivacy 2000 (T oronto)
See also an [excerpt] by Sir Arthur Conan Doyle that Neal selected to show these ideas aren't new.
SoftSecurity is a collective solution, whereas HardSecurity is often an individual solution. It's important to remember that although the Patterns below are written as prescriptions for you to follow, they are meant as notices for everyone to follow. When SoftSecurity becomes unilaterally enforced, it fails. This is a chicken and egg statement. When SoftSecurity fails--when TheCollective fails to act--only a few heroes try to keep it working. When only one person defends TheCollective, the defense loses its effectiveness and believability. One, the target of the defense will not know the hero speaks for the RoyalWe, and thus attempt to undermine the hero's authority in acting. Two, it may be the case that the CommunityDoesNotAgree , and the hero is acting out VigilanteJustice; acting alone should be good pause to reconsider what you are doing. Finally, while you think you ModelDesiredBehaviour, you are not providing space for others to act themselves, and so the real message you are sending is that they should not act.
SoftSecurity follows from the principles of
- AssumeGoodFaith. People are almost always trying to be helpful; so, we apply the PrincipleOfFirstTrust, confident that occasional bad will be overwhelmed by the good.
- PeerReview. Your peers can ensure that you don't damage the system.
- ForgiveAndForget. Even well-intentioned people make mistakes. They don't need to be permanent.
- LimitDamage. When unpreventable mistakes are made, keep the damage within tolerable limits.
- FairProcess. Kim and Mauborgne's theory that being transparent and giving everyone a voice are essential management skills.