(11) The Sun Tzu Security Status Scale

Recently I started studying a new book, Physical and Logical Security Convergence, by five authors including my friend Dan Dunkel. I’m only a little way into the book, but so far it’s very good.

In fact, the first chapter inspired today’s issue, prompted by the book’s presentation of several quotations from the world’s oldest treatise on military strategy, Sun Tzu’s Art of War.

It is all too easy for the press of daily happenings to shrink our focus to tactical and operations problem-solving. From that vantage point“strategic planning” can seem awfully academic.

Additionally, the simplicity and familiarity of some of the most basic security strategies causes us to dismiss them if not entirely, at least day by day. They are not new or exciting. They don’t command awe or give us a “wow” moment.

Until we read something like The Art of War, and we are reminded once again how powerful effective strategies can be.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
—Sun Tzu, The Art of War, Section III, Number 18

So in war, the way is to avoid what is strong and to strike at what is weak.
—Sun Tzu, The Art of War, Section VI, Number 30

Attack him where he is unprepared, appear where you are not expected.
—Sun Tzu, The Art of War, Section I, Number 24

While reflecting on Sun Tzu’s statements, I realized that he had written a very basic security status scale.

Sun Tzu Security Status Scale
the Enemy
Security Status Result
No No No threat or vulnerability assessment You will succumb in every battle
No Yes Vulnerability assessment but no threat assessment For every victory gained you will also suffer a defeat
Yes Yes Both threat and vulnerability assessments are current You need not fear the result of a hundred battles

We don’t use the term “battle” in security; instead we use “attack” or “incident”. But the principle is the same.

Sun Tzu’s words above are from the Lionel Giles translation (1910), which I prefer to the modern rephrased translations. In this translation there is a subtle reality to Sun Tzu’s words.

Sun Tzu doesn’t say that knowing both the enemy and yourself will mean that you never suffer any loss. He says that “you need not fear the result” of a hundred attacks or incidents. In other words, risks are reduced to acceptable levels. And that’s the job of security.

Over two thousand years of history have repeatedly proven the wisdom of this strategyknow yourself and know your enemy.

Isn’t that more than enough proof to conclude that it is not only a good strategy but a basic security responsibility to perform threat and vulnerability assessments, keep them current, and act on their findings?

How does your security rate on the Sun Tzu scale?

Best regards,
Ray Bernard

Leave a Reply

Your email address will not be published. Required fields are marked *