finance security

A security is a fungible, negotiable instrument representing financial value. Securities are broadly categorized into debt and equity securities such as bonds and common stocks, respectively. The company or other entity issuing the security is called the issuer. What specifically qualifies as a security is dependent on the regulatory structure in a country. For example private investment pools may have some features of securities, but they may not be registered or regulated as such if they meet various restrictions.

Securities may be represented by a certificate or, more typically, by an electronic book entry interest. Certificates may be bearer, meaning they entitle the holder to rights under the security merely by holding the security, or registered, meaning they entitle the holder to rights only if he or she appears on a security register maintained by the issuer or an intermediary. They include shares of corporate stock or mutual funds, bonds issued by corporations or governmental agencies, stock options or other options, limited partnership units, and various other formal investment instruments that are negotiable and fungible.

Classification

Securities may be classified according to the following categories:

• Issuer
• Currency of denomination
• Ownership rights
• Term to maturity
• Degree of liquidity
• Income payments
• Tax treatment

By Type of Issuer

Issuers of securities include commercial companies, government agencies, local authorities and international and supranational organizations (such as the World Bank). Debt securities issued by a government (called government bonds or sovereign bonds) generally carry a lower interest rate than corporate debt issued by commercial companies. Interests in an asset -- for example, the flow of royalty payments from intellectual property—may also be turned into securities. These repackaged securities resulting from a securitization are usually issued by a company established for the purpose of the repackaging—called a special purpose vehicle (SPV). See "Repackaging" below. SPVs are also used to issue other kinds of securities. SPVs can also be used to guarantee securities, such as covered bonds.

New capital: Commercial enterprises have traditionally used securities as a means of raising new capital. Securities may be an attractive option relative to bank loans depending on their pricing and market demand for particular characteristics. Another disadvantage of bank loans as a source of financing is that the bank may seek a measure of protection against default by the borrower via extensive financial covenants. Through securities, capital is provided by investors who purchase the securities upon their initial issuance. In a similar way, governments may raise capital through the issuance of securities (see government debt).

Repackaging: In recent decades securities have been issued to repackage existing assets. In a traditional securitisation, a financial institution may wish to remove assets from its balance sheet in order to achieve regulatory capital efficiencies or to accelerate its receipt of cash flow from the original assets. Alternatively, an intermediary may wish to make a profit by acquiring financial assets and repackaging them in a way which makes them more attractive to investors.

By Type of Holder

Investors in securities may be retail, i.e. members of the public investing other than by way of business. The greatest part in terms of volume of investment is wholesale, i.e. by financial institutions acting on their own account, or on behalf of clients. Important institutional investors include investment banks, insurance companies, pension funds and other managed funds.

Investment: The traditional economic function of the purchase of securities is investment, with the view to receiving income and/or achieving capital gain. Debt securities generally offer a higher rate of interest than bank deposits, and equities may offer the prospect of capital growth. Equity investment may also offer control of the business of the issuer. Debt holdings may also offer some measure of control to the investor if the company is a fledgling start-up or an old giant undergoing 'restructuring'. In these cases, if interest payments are missed, the creditors may take control of the company and liquidate it to recover some of their investment.

Collateral: The last decade has seen an enormous growth in the use of securities as collateral. Purchasing securities with borrowed money secured by other securities is called "buying on margin." Where A is owed a debt or other obligation by B, A may require B to deliver property rights in securities to A. These property rights enable A to satisfy its claims in the event that B becomes insolvent. Collateral arrangements are divided into two broad categories, namely security interests and outright collateral transfers. Commonly, commercial banks, investment banks and government agencies are significant collateral takers.

Debt and Equity

Securities are traditionally divided into debt securities and equities.

Debt

Debt securities may be called debentures, bonds, notes or commercial paper depending on their maturity and certain other characteristics. The holder of a debt security is typically entitled to the payment of principal and interest, together with other contractual rights under the terms of the issue, such as the right to receive certain information. Debt securities are generally issued for a fixed term and redeemable by the issuer at the end of that term. Debt securities may be protected by collateral or may be unsecured, and, if they are unsecured, may be contractually "senior" to other unsecured debt meaning their holders would have a priority in a bankruptcy of the issuer. Debt that is not senior is "subordinated".

Corporate bonds represent the debt of commercial or industrial entities. Debentures have a long maturity, typically at least ten years, whereas notes have a shorter maturity. Commercial paper is a simple form of debt security that essentially represents a post-dated check with a maturity of not more than 270 days.

Money market instruments are short term debt instruments that may have characteristics of deposit accounts, such as certificates of deposit, and certain bills of exchange. They are highly liquid and are sometimes referred to as "near cash". Commercial paper is also often highly liquid.

Euro debt securities are securities issued internationally outside their domestic market in a denomination different from that of the issuer's domicile. They include eurobonds and euronotes. Eurobonds are characteristically underwritten, and not secured, and interest is paid gross. A euronote may take the form of euro-commercial paper (ECP) or euro-certificates of deposit.

Government bonds are medium or long term debt securities issued by sovereign governments or their agencies. Typically they carry a lower rate of interest than corporate bonds, and serve as a source of finance for governments. U.S. federal government bonds are called treasuries. Because of their liquidity and perceived low risk, treasuries are used to manage the money supply in the open market operations of non-US central banks.

Sub-sovereign government bonds, known in the U.S. as municipal bonds, represent the debt of state, provincial, territorial, municipal or other governmental units other than sovereign governments.

Supranational bonds represent the debt of international organizations such as the World Bank, the International Monetary Fund, regional multilateral development banks and others.

Equity

An equity security is a share in the capital stock of a company (typically common stock, although preferred equity is also a form of capital stock). The holder of an equity is a shareholder, owning a share, or fractional part of the issuer. Unlike debt securities, which typically require regular payments (interest) to the holder, equity securities are not entitled to any payment. In bankruptcy, they share only in the residual interest of the issuer after all obligations have been paid out to creditors. However, equity generally entitles the holder to a pro rata portion of control of the company, meaning that a holder of a majority of the equity is usually entitled to control the issuer. Equity also enjoys the right to profits and capital gain, whereas holders of debt securities receive only interest and repayment of principal regardless of how well the issuer performs financially. Furthermore, debt securities do not have voting rights outside of bankruptcy. In other words, equity holders are entitled to the "upside" of the business and to control the business.

• Stock

Hybrid

Hybrid securities combine some of the characteristics of both debt and equity securities.

Preference shares form an intermediate class of security between equities and debt. If the issuer is liquidated, they carry the right to receive interest and/or a return of capital in priority to ordinary shareholders. However, from a legal perspective, they are capital stock and therefore may entitle holders to some degree of control depending on whether they contain voting rights.

Convertibles are bonds or preferred stock which can be converted, at the election of the holder of the convertibles, into the common stock of the issuing company. The convertibility, however, may be forced if the convertible is a callable bond, and the issuer calls the bond. The bondholder has about 1 month to convert it, or the company will call the bond by giving the holder the call price, which may be less than the value of the converted stock. This is referred to as a forced conversion.

Equity warrants are options issued by the company that allows the holder of the warrant to purchase a specific number of shares at a specified price within a specified time. They are often issued together with bonds or existing equities, and are, sometimes, detachable from them and separately tradable. When the holder of the warrant exercises it, he pays the money directly to the company, and the company issues new shares to holder.

Warrants, like other convertible securities, increases the number of shares outstanding, and are always accounted for in financial reports as fully diluted earnings per share, which assumes that all warrants and convertibles will be exercised.

The Securities Market

Primary and Secondary Market

The public securities markets can be divided into primary and secondary markets. The distinguishing difference between the two markets is that in the primary market, the money for the securities is received by the issuer of those securities from investors, whereas in the secondary market, the money goes from one investor to the other. When a company issues public stock for the first time, this is called an Initial Public Offering (IPO). A company can later issue more new shares, or issue shares that have been previously registered in a shelf registration. These later new issues are also sold in the primary market, but they are not considered to be an IPO. Issuers usually retain investment banks to assist them in administering the IPO, getting SEC approval, and selling the new issue. When the investment bank buys the entire new issue from the issuer at a discount to resell it at a markup, it is called an underwriting, or firm commitment. However, if the investment bank considers the risk too great for an underwriting, it may only assent to a best effort agreement, where the investment bank will simply do its best to sell the new issue.

In order for the primary market to thrive, there must be a secondary market, or aftermarket, where holders of securities can sell them to other investors for cash, hopefully at a profit. Otherwise, few people would purchase primary issues, and, thus, companies and governments would be unable to raise money for their operations. Organized exchanges constitute the main secondary markets. Many smaller issues and most debt securities trade in the decentralized, dealer-based over-the-counter markets.

In Europe, the principal trade organization for securities dealers is the International Capital Market Association. In the U.S., the principal organization for securities dealers is the Securities Industry and Financial Markets Association. The Bond Market Association represents bond dealers globally.

Public Offer and Private Placement

In the primary markets, securities may be offered to the public in a public offer. Alternatively, they may be offered privately to a limited number of qualified persons in a private placement. Often a combination of the two is used. The distinction between the two is important to securities regulation and company law. Privately placed securities are often not publicly tradable and may only be bought and sold by sophisticated qualified investors. As a result, the secondary market is not as liquid.

Another category, sovereign debt, is generally sold by auction to a specialised class of dealers.

Listing and OTC Dealing

Securities are often listed in a stock exchange, an organised and officially recognised market on which securities can be bought and sold. Issuers may seek listings for their securities in order to attract investors, by ensuring that there is a liquid and regulated market in which investors will be able to buy and sell securities.

Growth in informal electronic trading systems has challenged the traditional business of stock exchanges. Large volumes of securities are also bought and sold "over the counter" (OTC). OTC dealing involves buyers and sellers dealing with each other by telephone or electronically on the basis of prices that are displayed electronically, usually by commercial information vendors such as Reuters and Bloomberg.

There are also eurosecurities, which are securities that are issued outside their domestic market into more than one jurisdiction. They are generally listed on the Luxembourg Stock Exchange or admitted to listing in London. The reasons for listing eurobonds include regulatory and tax considerations, as well as the investment restrictions.

International Debt Market

London is the centre of the eurosecurities markets. There was a huge rise in the eurosecurities market in London in the early 1980s. Settlement of trades in eurosecurities is currently effected through two European computerised systems called Euroclear (in Belgium) and Clearstream (formerly Cedelbank in Luxembourg).

The main market for Eurobonds is the EuroMTS, owned by Borsa Italiana and Euronext.the

Physical Nature of Securities

Certificated Securities

Securities that are represented by certificates are called certificated securities. They may be bearer or registered.

Bearer Securities

Bearer securities are completely negotiable and entitle the holder to the rights under the security (e.g. to payment if it is a debt security, and voting if it is an equity security). They are transferred by delivering the instrument from person to person. In some cases, transfer is by endorsement, or signing the back of the instrument, and delivery.

Regulatory and fiscal authorities sometimes regard bearer securities negatively, as they may be used to facilitate the evasion of regulatory restrictions and tax. In the United Kingdom, for example, the issue of bearer securities was heavily restricted firstly by the Exchange Control Act 1947 until 1963. Bearer securities are very rare in the United States because of the negative tax implications they may have to the issuer and holder.

Registered Securities

In the case of registered securities, certificates bearing the name of the holder are issued, but these merely represent the securities. A person does not automatically acquire legal ownership by having possession of the certificate. Instead, the issuer (or its appointed agent) maintains a register in which details of the holder of the securities are entered and updated as appropriate. A transfer of registered securities is effected by amending the register.

Uncertificated Securities and Global Certificates

Modern practice has developed to eliminate both the need for certificates and maintenance of a complete security register by the issuer. There are two general ways this has been accomplished.

Uncertificated Securities

In some jurisdictions, such as France, it is possible for issuers of that jurisdiction to maintain a legal record of their securities electronically...

Global Certificates and Book Entry Interests

In the United States, the corporation laws typically do not permit securities to be issued without being represented by one or more registered certificates. In order to facilitate the electronic transfer of interests in securities, a system has developed whereby issuers deposit a single global certificate representing all the outstanding securities of a class or series with a universal depository. This depository is called the Depository Trust Corporation, or DTC. DTC is a non-profit cooperative owned by approximately thirty of the largest Wall Street players that typically act as brokers or dealers in securities. These thirty banks are called the DTC participants. DTC, through a legal nominee, owns each of the global securities on behalf of all the DTC participants.

All securities traded through DTC are in fact held, in electronic form, on the books of various intermediaries between the ultimate owner, e.g. a retail investor, and the DTC participants. For example, Mr. Smith may hold 100 shares of Coca Cola, Inc. in his brokerage account at local broker Jones & Co. brokers. In turn, Jones & Co. may hold 1000 shares of Coca Cola on behalf of Mr. Smith and nine other customers. These 1000 shares are held by Jones & Co. in an account with Goldman Sachs, a DTC participant, or in an account at another DTC participant. Goldman Sachs in turn may hold millions of Coca Cola shares on its books on behalf of hundreds of brokers similar to Jones & Co. Each day, the DTC participants settle their accounts with the other DTC participants and adjust the number of shares held on their books for the benefit of customers like Jones & Co. Ownership of securities in this fashion is called beneficial ownership. Each intermediary holds on behalf of someone beneath him in the chain. The ultimate owner is called the beneficial owner. This is also referred to as owning in "Street name".

Other Depositories: Euroclear and Clearstream

Besides DTC, two other large securities depositories exist, both in Europe: Euroclear and Clearstream.

Divided and Undivided Security

The terms "divided" and "undivided" relate to the proprietary nature of a security.

Each divided security constitutes a separate asset, which is legally distinct from each other security in the same issue. Pre-electronic bearer securities were divided. Each instrument constitutes the separate covenant of the issuer and is a separate debt.

With undivided securities, the entire issue makes up one single asset, with each of the securities being a fractional part of this undivided whole. Shares in the secondary markets are always undivided. The issuer owes only one set of obligations to shareholders under its memorandum, articles of association and company law. A share represents an undivided fractional part of the issuing company. Registered debt securities also have this undivided nature.

Fungible and Non-fungible Security

The terms "fungible" and "non-fungible" relate to the way in which securities are held.

If an asset is fungible, this means that when such an asset is lent, or placed with a custodian, it is customary for the borrower or custodian to be obliged at the end of the loan or custody arrangement to return assets equivalent to the original asset, rather than the identical asset. In other words, the redelivery of fungibles is equivalent and not in specie (identical).

Undivided securities are always fungible by logical necessity. Divided securities may or may not be fungible, depending on market practice. The clear trend is towards fungible arrangements.

Regulation

In the United States, the public offer and sale of securities must be either registered pursuant to a registration statement that is filed with the U.S. Securities and Exchange Commission (SEC) or are offered and sold pursuant to an exemption therefrom. Dealing in securities is heavily regulated by both the federal authorities (SEC) and state authorities. In addition the industry is heavily self policed by Self Regulatory Organizations (SROs), such as the NASD or the MSRB.

Due to the difficulty of creating a general definition that covers all securities, Congress attempts to define "securities" exhaustively (and not very precisely) as: "any note, stock, treasury stock, security future, bond, debenture, certificate of interest or participation in any profit-sharing agreement or in any oil, gas, or other mineral royalty or lease, any collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or in general, any instrument commonly known as a 'security'; or any certificate of interest or participation in, temporary or interim certificate for, receipt for, or warrant or right to subscribe to or purchase, any of the foregoing; but shall not include currency or any note, draft, bill of exchange, or bankers' acceptance which has a maturity at the time of issuance of not exceeding nine months, exclusive of days of grace, or any renewal thereof the maturity of which is likewise limited." - Section 3a item 10 of the 1934 Act.

The US Courts have developed a broad definition for securities that must then be registered with the SEC. There is an investment of money, a common enterprise and expectation of profits to come primarily from the efforts of others. See SEC v. W.J. Howey Co. and SEC v. Glenn W. Turner Enterprises, Inc

Human security

Human security refers to an emerging paradigm for understanding global vulnerabilities whose proponents challenge the traditional notion of national security by arguing that the proper referent for security should be the individual rather than the state. Human security holds that a people-centered view of security is necessary for national, regional and global stability.

The concept emerged from a post-Cold War, multi-disciplinary understanding of security involving a number of research fields, including development studies, international relations, strategic studies, and human rights. The United Nations Development Programme's 1994 Human Development Report^[1] is considered a milestone publication in the field of human security, with its argument that insuring "freedom from want" and "freedom from fear" for all persons is the best path to tackle the problem of global insecurity. Human security is now frequently referred to in a wide variety of global policy discussions and often taught in universities as part of international relations, globalization, or human rights studies.

Critics of the concept argue that its vagueness undermines its effectiveness; that it has become little more than a vehicle for activists wishing to promote certain causes; and that it does not help the research community understand what security means or help decision makers to formulate good policies.

Concept

The end of the Cold War is often seen as the moment where human security gained real recognition because of the belief that, with the relaxation of ideological hostilities between the US and USSR in the early 1990s, real progress could be made to address the root causes of global insecurity. Increasing levels of global interdependence further solidified the growing consensus that today's security threats go beyond our traditional understanding of defense threats, (e.g. attack from another state) to include poverty, economic inequality, diseases, human rights abuses, environmental pollution, and natural disasters. Those who argue for the adoption of a human security agenda believe that if our security apparatuses focused more on protecting individual citizens and groups from threats that may endanger their basic survival, rather than simply on perceived threats to the nation state, the world would be a more secure place.

UNDP's 1994 Definition

Dr. Mahbub ul Haq first drew global attention to the concept of human security in the United Nations Development Programme's 1994 Human Development Report and sought to influence the UN's 1995 World Summit on Social Development in Copenhagen. Since then, human security has been receiving more attention from the key global development institutions, such as the World Bank.

The UNDP's 1994 Human Development Report's definition of human security argues that the scope of global security should be expanded to include threats in seven areas:

Coloured world map indicating Human Development Index (as of 2003). Countries coloured green exhibit high human development, those coloured yellow/orange exhibit medium human development, and those coloured red exhibit low human development.

• Economic security — Economic security requires an assured basic income for individuals, usually from productive and remunerative work or, as a last resort, from a publicly financed safety net. In this sense, only about a quarter of the world’s people are presently economically secure. While the economic security problem may be more serious in developing countries, concern also arises in developed countries as well. Unemployment problems constitute an important factor underlying political tensions and ethnic violence.

• Food security — Food security requires that all people at all times have both physical and economic access to basic food. According to the United Nations, the overall availability of food is not a problem, rather the problem often is the poor distribution of food and a lack of purchasing power. In the past, food security problems have been dealt with at both national and global levels. However, their impacts are limited. According to UN, the key is to tackle the problems relating to access to assets, work and assured income (related to economic security).

• Health security — Health Security aims to guarantee a minimum protection from diseases and unhealthy lifestyles. In developing countries, the major causes of death are infectious and parasitic diseases, which kill 17 million people annually. In industrialized countries, the major killers are diseases of the circulatory system, killing 5.5 million every year. According to the United Nations, in both developing and industrial countries, threats to health security are usually greater for poor people in rural areas, particularly children. This is mainly due to malnutrition and insufficient supply of medicine, clean water or other necessity for healthcare.

• Environmental security — Environmental security aims to protect people from the short- and long-term ravages of nature, man-made threats in nature, and deterioration of the natural environment. In developing countries, lack of access to clean water resources is one of the greatest environmental threats. In industrial countries, one of the major threats is air pollution. Global warming, caused by the emission of greenhouse gases, is another environmental security issue.

• Personal security — Personal security aims to protect people from physical violence, whether from the state or external states, from violent individuals and sub-state actors, from domestic abuse, or from predatory adults. For many people, the greatest source of anxiety is crime, particularly violent crime.

• Community security — Community security aims to protect people from the loss of traditional relationships and values and from sectarian and ethnic violence. Traditional communities, particularly minority ethnic groups are often threatened. About half of the world’s states have experienced some inter-ethnic strife. The United Nations declared 1993 the Year of Indigenous People to highlight the continuing vulnerability of the 300 million aboriginal people in 70 countries as they face a widening spiral of violence.

• Political security — Political security is concerned with whether people live in a society that honors their basic human rights. According to a survey conducted by Amnesty International, political repression, systematic torture, ill treatment or disappearance was still practised in 110 countries. Human rights violations are most frequent during periods of political unrest. Along with repressing individuals and groups, governments may try to exercise control over ideas and information.

Freedom from Fear vs Freedom from Want

In an ideal world, each of the UNDP's seven categories of threats would receive adequate global attention and resources. Yet attempts to implement this human security agenda have led to the emergence of two major schools of thought — "Freedom from Fear" and "Freedom from Want". While the UNDP 1994 report originally argued that human security requires attention to both freedom from fear and freedom from want, divisions have gradually emerged over the proper scope of that protection (e.g. over what threats individuals should be protected from) and over the appropriate mechanisms for responding to these threats.

• Freedom from Fear — This school seeks to limit the practice of Human Security to protecting individuals from violent conflicts. This approach argues that limiting the focus to violence is a realistic and manageable approach towards Human Security. Emergency assistance, conflict prevention and resolution, peace-building are the main concerns of this approach. Canada, for example, was a critical player in the efforts to ban landmines and has incorporated the "Freedom from Fear" agenda as a primary component in its own foreign policy.

• Freedom from Want — According to UNDP 1994, "Freedom from Want" school focuses on the basic idea that violence, poverty, inequality,diseases, and environmental degradation are inseparable concepts in addressing the root of human insecurity. Different from "Freedom from Fear", it expands the focus beyond violence with emphasis on development and security goals. Japan, for example, has adopted the broader "Freedom from Want" perspective in its own foreign policy and in 1999 established a UN trust fund for the promotion of Human Security.

Relationship with traditional security

Human security and traditional or national security are not mutually exclusive concepts. Without human security, traditional state security cannot be attained and vice-versa.

Europe after the Peace of Westphalia in 1648

Traditional security is about a state's ability to defend itself against external threats. Traditional security (often referred to as national security or state security) describes the philosophy of international security predominance since the Peace of Westphalia in 1648 and the rise of the nation-states. While international relations theory includes many variants of traditional security, from realism to idealism, the fundamental trait that these schools share is their focus on the primacy of the nation-state.

Relationship with development studies

Human security also challenged and drew from the practice of international development.

Traditionally, embracing liberal market economics was considered to be the universal path for economic growth, and thus development for all humanity. Yet, continuing conflict and human rights abuses following the end of the Cold War and the fact that two-thirds of the global population seemed to have gained little from the economic gains of globalization^[8], led to fundamental questions about the way development was practiced.

Under human security, poverty and inequality are considered root causes of individual vulnerability. The paper Development and Security by Frances Stewart argues that security and development are deeply interconnected.

• Human security forms an important part of people’s well-being, and is therefore an objective of development.
  An objective of development is “the enlargement of human choices”. Insecurity cuts life short and thwarts the use of human potential, thereby affecting the reaching of this objective.
• Lack of human security has adverse consequences on economic growth, and therefore development.
  Some development costs are obvious. For example, in wars, people who join the army or flee can no longer work productively. Also, destroying infrastructure reduces the productive capacity of the economy.
• Imbalanced development that involves horizontal inequalities is an important source of conflict.
  Therefore, vicious cycles of lack of development which leads to conflict, then to lack of development, can readily emerge. Likewise, virtuous cycles are possible, with high levels of security leading to development, which further promotes security in return.

[edit] Gender and human security

Gender plays an important role in human security since oftentimes gender inequality gives rise to skewed distribution of resources or neglect in areas vital to individual security. Female susceptibility to domestic violence provides one example.

A survey conducted by World Health Organization in 2005 shows that one-sixth of women in the world suffer from family violence. They are mainly beaten by their husbands or partners, which then results in physical and mental health problems, even suicide. Other surveys indicate that half of the women who die from homicides are killed by, or abused to death by their partners. Shelter is one of the human security needs, but for many women these shelters are unsafe and potentially life-threatening.

Prevention

Prevention is another vital tenant of the human security paradigm. According to the Carnegie Commission on Preventing Deadly Conflict, "the international community spent approximately $200 billion on conflict management in seven major interventions in the 1990s… but could have saved $130 billion through a more effective preventive approach."

The human security approach advocates that more efforts and resources need to be invested in:

• accurate knowledge of early warning - the knowledge of the fragility of the situation and the risks associated with it for one to anticipate a possible disaster
• understanding of measures for prevention - policy measures available that are capable of preventing the disaster from becoming true, and -
• willingness to apply those measures - the party involved, especially the states themselves, have a political will to follow the measures

Many efforts have been made to tackle these prerequisites. For example, new types of NGOs, dedicated exclusively to detecting early warning signs of conflict, such as the International Crisis Group, were set up. ^[11] The UN General Assembly and Security Council in 2000 adopted resolutions recognizing the vital role of all parts of the United Nations system in conflict prevention. ^[12] The Organization for Security and Cooperation in Europe (OSCE) has also developed a number of innovative internal mechanisms and practices toward preventing conflict in Europe.

Prevention in the area of natural disasters is also crucial. A human security approach would improve disaster preparedness by identifying risk-prone areas and encouraging families to move or develop insurance and coping mechanisms; or by teaching earthquake-resistant building techniques and irrigation and planting techniques that acknowledge fragile environments. Direct investment in disaster preparation, and targets for reducing disaster risk have been called for strongly by those who work in disaster preparedness.

Despite these encouraging moves, there is still a lack of expertise, human resources, and particularly the political will to provide accurate and reliable early-warning information. Many states are still reluctant to accept any internationally endorsed preventive measures. They fear that internationalization of the problem will result in further external “interference” and spark a slippery slope to intervention.

Poverty and economic inequality

Poverty and economic inequality are root causes of global insecurity and hence receive much attention within the human security approach. Currently, one fifth of the world’s population (equivalent to 1.2 billion) experience extreme poverty with an income of less than $1 a day. A significant portion of this population reside in Africa and Asia. An addition of 1.6 billion to this population live on less than $2 a day, totaling 2.8 billion out of 6 billion of world's people live in poverty and daily insecurity.

There are four main policy actions related to poverty and inequality that promote human security

Encouraging growth that reaches the extreme poor Healthy and sustainable growth is the mix of policies that support productivity, employment creation, enterprise and human resource development.

• There has to be an emphasis on basic education as a prime mover of change.
• Wide dissemination of basic economic entitlements (through education and training, land reform, credit) broadens access to the opportunities offered by the market economy.
• State action has to be judiciously combined with the use of the market economy.
• A wide range of institutional interventions is required to enhance capabilities, promote social opportunities and support market arrangements.
  

Supporting sustainable livelihoods and decent work Workplace is where most people build or lose their economic security. There are some ways that can help the people to gain security in the workplace. Workers unions empower people to represent their needs and thus to protect their human security. Long-term firm loyalty and relationships also provide security. Changes in the global economy have altered production and work patterns. Some trends, such as a growing informal sector and increasing female participation in the work force, have had a significant impact on the availability of jobs, especially for low-skill level workers. Because of these trends there is the needs to deal with environmental factors, address gender asymmetries in livelihoods and support microcredit initiatives to enable poor people to participate in economic activity.

Providing social protection for all situations Social Protection aims to provide a social minimum to ensure that every person is able to enjoy the basic quality of life. Governments, business and citizens are required to take measures to ensure that there is adequate social protection for all, including the working poor and those not in paid work. Such measures should include employer and employee-based contributions to unemployment insurance, pensions, training as well as government-subsidized social assistance (through public works).

These measures can provide a minimum economic and social standard, based on dialogue with all social actors, for those in chronic poverty as well as those who suffer temporary economic hardship during economic downturns and other crises. Policies and programmes to address the special needs of children, the elderly and the disabled should also be incorporated into social protection arrangements.

Humanitarian intervention

The application of human security is highly relevant within the area of humanitarian intervention, as it focuses on addressing the deep rooted and multi-factorial problems inherent in humanitiarian crises, and offers more long term resolutions. However, the implementation of humanitarian intervention has been debated because of its various problems and failed projects such as the interventions in Srebrenica and Somalia, as well as the consequences of non-intervention, as witnessed in the Rwandan genocide. This debate pushed United Nations Secretary General Kofi Annan to pose a challenge to the international community to find a new approach to humanitarian intervention that responded to its inherent problems.

The Responsibility to Protect

In 2001, the International Commission on Intervention and State Sovereignty (ICISS) produced the "The Responsibility to protect", a comprehensive report detailing how the “right of humanitarian intervention” could be exercised. It was considered a triumph for the human security approach as it emphasized and gathered much needed attention to some of its main principles:

• The protection of individual welfare is more important than the state. If the security of individuals is threatened internally by the state or externally by other states, state authority can be overridden.

• Addressing the root causes of humanitarian crises (e.g. economic, political or social instability) is a more effective way to solve problems and protect the long-term security of individuals.

• Prevention is the best solution. A collective understanding of the deeper social issues along with a desire to work together is necessary to prevent humanitarian crises, thereby preventing a widespread absence of human security within a population (which may mean investing more in development projects).

Human security has been suggested to be particularly useful in examining the causes of conflicts that explain and justify humanitarian interventions. Additionally, it could also be a paradigm for identifying, prioritizing and resolving large transnational problems. However, human security still faces difficulties concerning the scope of its applicability, as large problems requiring humanitarian intervention usually are built up from an array of socio-political, cultural and economic problems that may be beyond the limitations of humanitarian projects. On the other hand, successful examples of the use of human security principles within interventions can be found. One example is the independence of East Timor in 1999.

East Timor The establishment of East Timorese independence from Indonesia in 2002 can be partially credited to a successful international humanitarian effort and can be seen to vindicate the human security ideal. Prior to independence, East Timor was plagued by massive human rights abuses by pro-Indonesian militias and an insurgency war led by indigenous East Timorese against Indonesian forces. After the resignation of President Suharto and an East Timorese vote for independence, the UN and international community were forced to respond to growing post-referendum violence. These peacekeeping missions eventually safeguarded and moved the country into full independence.

The UN also created the United Nations Transitional Administration in East Timor (UNTAET) peace-keeping force that were present not simply to address the military and traditional security priorities, but also that helped to manage nation-building projects, coordinated humanitarian, rehabilitation and development assistance and organised civil services for the country. Additionally, education and training programs were instituted by UNTAET to strengthen civil society and create an economically viable domestic environment.Thus security was moved beyond just military concerns to encompass health, education and development - all crucial to the security of the individual, but usually ignored by state-centric security analysis.

Anti Personnel Landmines

State Parties to the Ottawa Treaty

Arms control is also an important priority for Human Security advocates, closely linked with the Freedom from Fear agenda. An oft-claimed example of this is the Ottawa Convention banning anti-personnel landmines. The Convention has been described as an illustration of how human security can work in the real world, as a coalition of like-minded powers, along with civil society worked together to eliminate anti-personnel land mines. The process leading up to the formation of the Convention was quite a departure from that of traditional security instruments with massive involvement from non-government groups and civil society - it could almost be seen as NGO's bringing governments to the negotiating table. Viewing mines through the human security lens helped to focus the debate on the impact on individuals, as opposed to the survival of the state; and is possibly a key reason for the Convention's success.

In contrast to traditional security discourses, which see security as focused on protecting state interests, human security argued that mines could not be viable weapons of war due to the massive collateral damage they cause, their indiscriminate nature and persistence after conflict. Whereas traditionally, states would justify these negative impacts of mines due to the advantage they give on the battlefield, under the human security lens, this is untenable as the wide-ranging post-conflict impact on the day-to-day experience of individuals outweighs the military advantage.

Since arms control was often considered impregnable by non-government groups, the Ottawa Convention was something of a watershed for human security, as it demonstrated the efficiacy of civil society pressure even in this reified area of international relations. Groups operated at all levels of civil society, with wide-ranging campaigns which demonstrated commitments from both a grass roots and top-down approach. In Ottawa, the negotiations were moved outside traditional disarmement forums, thus avoiding the entrenched logic of traditional arms control measures.

While critics of human security note the absence of the United States as a signatory to the treaty, considering this as a critical blow to its effectiveness, .

Terrorism

The global threat of terrorism is an important test case for the Human Security agenda Proponents argue that a Human Security approach would alleviate many of the deficiencies in a traditional, state-centered counter terrorist approach.Traditional measures uses international sanctions or military force, which directs against a specific country but not a specific target. Besides human casualties and unnecessary economic dislocation, it also fuels the feelings of unrest that may elevate to conflicts. State-centered measures for internal security, such as detention without trial, body searches and night raids, also threaten to erode the very civil liberties it seeks to protect.

Overall, human security proponents assert that these traditional measures seem to exacerbate the problem. They advocate that governments should focus on designing people-centered interventions to address enduring, underlying problems.

• Any intervention to address the threat of terrosim must be context specific, acknowledge local culture and historiography. Interventions requires time to demonstrate success, but inclusionary practices will be influential in achieving human security. Concessions can be made including rebuilding of social infrastructure, economic investment, the provision of trauma counselling, inclusion of religious figures and active programs for reconciliation. Participation of a diverse group of actors including policy-makers, private enterprises, public service providers and social entrepreneurs will foster neutrality. We need to listen, actively promote symmetry in dialogue, and be ready to accommodate alternative discourses on the experience of modernity.

• Human security also emphasizes the protection of human rights and respect for the rule of law. In many countries, some counter-terrorist measures violate human rights. Abuses include detention without judicial review; subjecting to torture during the transfer, return and extradition of persons between or within countries. They restrains citizens’ rights or freedoms, and breaches the principle of non-discrimination. Such violations arguably serve to exacerbate the threat of terrorism. Human security argues that a failure to respect human rights in one state may undermine international effort to cooperate to combat terrorism^[26], thus more effort should be invested in the effective inclusion of human rights protection.

• Human security further emphasizes the needs to address physical, psychological and political dimensions. The psychological aspect highlights that the violence of a traditional military response simply begets further violence, provokes and consolidates support for those groups. Instead, sustainable victory in such conflict situations means “to win a battle for the society, for its mindsets and psychologies, to address sources of grievance and anxiety, and to shore up institutions of governance.”

Infectious disease

Human Security has long been argued that the "scope" of global security should be expanded to include the threat of infectious disease. The primary goal of human security is the protection of individuals, and infectious diseases (such as HIV/AIDS, SARS, and H5N1) are among the most serious threats to individuals around the world. Especially with the accelerating speed of globalization nowadays, the outbread of one infectious disease in one particular country can be bought to the others quickly by the intensification of international transportation. Given the transnational nature of infectious disease, the traditional unilateral, state-centered policy approaches to these threats by infectious diseases is ineffective over the long run. Therefore, adopting a people-centered Human Security model with its emphasis on prevention, individual empowerment, and treatment strategies delivered by an array of global actors is possibly a pioneering approach to deal with the increasing diversity of contagious diseases.

Human security supports broadening the responsibility for ensuring health security. It is shifting down from the national level to individuals, communities and civil organizations; and upward to international institutions and networks. Hence, modernizing international health rules and regulations, fostering partnerships between public and private sectors as well as enhancing communication and cooperation among states become more important.Take HIV/AIDS in sub-Saharan Africa as an example, the relatively low education level of people and insufficient penetration of knowledge about HIV/AIDS hinder people from realising the serious impacts of HIV/AIDS. Low levels of technology, the ineffective management of resources and implementation of corresponding policies by leaders further cause the spread of the disease uncontrollable. Human Security proponents argue that by focusing on health burdens faced by local communities and individuals our policy responses will be able to address the roots of the problem.

In addition, traditional approach of security is more of a rationale for maintaining the current power status of the state, this may sometimes outweigh individual's safety and health concerns. Apart from bewaring of military dangers, the state may also accentuate the protection of reputation as well as ensuring the state's economic development.

For example in China, prevention of international intervention of internal affairs and securing its tourism and economy might be the reasons of Chinese silence in the SARS epidemic in 2003. Its late disclosure of SARS data is one of the main reasons of the outbreak of SARS in other places.Even in the cases of H5N1, China has been suspected of concealing cases of bird-flu in several provinces for many months in 2005.

Sonagachi Project

In Calcutta, India, the Sonagachi Project, cited by UNAIDS as a "best-practice" model of working with women and men in prostitution, has reached more than 30,000 persons working in the commercial sex sector at risk of HIV/AIDS, mainly through peer-based outreach services.

This project demonstrates the collective power of different organizations and the government. It was initiated by the All India Institute of Hygiene and Public Health (AIIH&PH) in 1992 as the STD/HIV Intervention Programme (SHIP), in consultation with the National AIDS Control Organization (NACO) of India, the Ministry of Health and Family Welfare of West Bengal, and WHO. Later donors included NORAD, DfID, and HORIZONS/USAID. It also includes two non-governmental organization as partners, the Health and Eco-Defence Society and the Human Development and Research Institute.

In line with human security principles, the approach of this project is based on the needs of the individuals, which are then catered specifically. Sonagachi's peer educators help to stop the spread of HIV/AIDS among women and men in prostitution through strategies intended to earn their trust, to reduce their social isolation, to increase their social participation, and to confront stigma and discrimination.

Environmental degradation and extreme climates has direct impacts on human security as it means humans are prone to more natural disasters and are faced with decreasing resources. In addition, as the earth’s climate changes more rapidly, an increase in violent conflict is likely due to resource scarcity and an exacerbated North-South disparity. Sources of possible conflict include wide-spread refugee movement, a fall in global food production and reduction in water supply. Water and energy, for example, are essential resources which have led to military and political turmoil worldwide. Altered resource availability causing food shortages results in political disputes, ethnic tensions and civil unrests, which in turn is the basis for regional conflicts that eventually goes global. Furthermore, vulnerability to climate changes can be exacerbated by other non-climate factors such as HIV/AIDS, poverty, unequal access to resources and economic globalization , making Human Security all the more susceptible.

A more recent example of how global warming impacts human security is the Darfur conflict. Climate changes have brought the Sahara steadily into the south and droughts are more frequent in this piece of dry land, wiping out food produce. As a result there is less arable land with many people fighting for it. Indeed, a report by CNA corporation describes climate change as a “threat multiplier” in volatile parts of the world.

Nowadays, many still view global warming in terms of the national security framework. These national threats, however, can be easily transposed into a human security context. Peter Gleick, President of the Pacific Institute for Studies in Development, Environment, and Security, considers the three biggest threats to national security to be: 1. Food shortages caused by reductions in agricultural production capacities 2. Shortages of safe drinking water due to flooding and droughts 3. Shortages of natural resources due to disruption caused by ice and storms. These threats are, in fact, inextricably linked with the impacts of Global warming on human security as a whole.

The IPCC Fourth Assessment Report points out various environmentally effective policies which different actors in different sectors can take to reduce the impact of global warming and many of which are familiar such as appliance standards and labelling and providing renewable energy incentives. Effective action to combat the issues of global warming and climate change requires changing individuals’ apathy into action to supplement and encourage existing channels for climate change response.

Criticisms

Ambiguity of the Concept

It remains unclear whether the concept of human security can serve as a practical guide. First, like “sustainable development”, the concept lacks a precise definition. Second, it is the supporters of human security that try to keep the term expansive and vague, so that "human security" can keep the coalition of middle power states, development agencies, and NGOs

Questions on the Practice

Further and deeper questions about this approach revolve around how this concept has been and could be practiced; whether or not the "human security" approach is the best tool for addressing global threats and how practical or feasible these measures are. The allocation of available resources alone may preclude addressing all of the varied threats to human security as outlined in the Human Development Report and Millennium Development Goals.

Moreover, it is doubtful if the world has extra time and effort to deal with so many aspects – intra-state conflicts, humanitarian interventions, economic security, environmental security and so on, while its work in alleviating inter-state conflicts is still far from perfect. The concept of human security, especially the Freedom from Want school, seems to be too idealistic.

State Sovereignty

Many concepts under human security, like humanitarian intervention, violate the traditional principle of state sovereignty - a deep-rooted concept. The Group of 77(G77) had expressed its specticism for fear it would lead to violations of state sovereignty. As states still serve as a major playing role in global affairs, the unwillingness of states to give in parts of their state sovereignty will make human security not really effective.

In addition, it is probable that human security would become another effective excuse for powerful states to bully the weak. It is argued that only powerful states, especially those from the West, can determine whose human rights justify departure from the principle of non-intervention - a resemblance of imperialism. Some even accused "the Responsibility to Protect" is merely a euphemism for American hegemony

Cyber-security regulation

In the United States government, Cyber-security regulation is directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. The purpose of cyber-security regulation is to force companies and organizations to protect their systems and information from cyber-attacks. Cyber-attacks include viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber-attacks. Cyber-security measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption and login passwords. Federal and state governments in the United States have attempted to improve cyber-security through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cyber-security.

Reasons for cyber-security

The United States government believes the security of computer systems is important to for two reasons. The increased role of Information Technology (IT) and the growth of the e-commerce sector have made cyber-security essential to the economy. Also, cyber-security is vital to the operation of safety critical systems, such as emergency response, and to the protection of infrastructure systems, such as the national power grid.

Federal government regulation

There are few federal cyber-security regulations, and the ones that exist focus on specific industries. The three main cyber-security regulations are the 1996 Health Insurance Portability and Accountability Act, the 1999 Gramm-Leach-Bliley Act and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). These three regulations mandate that healthcare organizations, financial institutions and federal agencies protect their systems and information . For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.” But, these regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, these regulations do not specify what cyber-security measures must be implemented and require only a “reasonable” level of security. The vague language of these regulations leaves much room for interpretation. Bruce Schneier, founder of Cupertino’s Counterpane Internet Security, argues that companies will not make sufficient investments in cyber-security unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts.

State government regulation

State governments have attempted to improve cyber-security by increasing public visibility of firms with weak security. In 2003, California passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event Personal information includes name, social security number, driver’s license number, credit card number or financial information. Several other states have followed California’s example and passed similar security breach notification regulations. These security breach notification regulations punish firms for their cyber-security failures while giving them the freedom to choose how to secure their systems. Also, this regulation creates an incentive for companies to voluntarily invest in cyber-security to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber-attack.

In 2004, California passed California Assembly Bill 1950 which also applies to businesses that own or maintain personal information for California residents. This regulation dictates that businesses maintain a reasonable level of security and that these required security practices also extend to business partners. This regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cyber-security. However, like the federal legislation, it requires a “reasonable” level of cyber-security, which leaves much room for interpretation until case law is established.

Other government efforts

In addition to regulation, the federal government has tried to improve cyber-security by allocating more resources to research and collaborating with the private-sector to write standards. In 2003, the President’s National Strategy to Secure Cyberspace made the Department of Homeland Security (DHS) responsible for security recommendations and researching national solutions. The plan calls for cooperative efforts between government and industry “to create an emergency response system to cyber-attacks and to reduce the nation’s vulnerability to such threats.” In 2004, Congress allocated $4.7 billion toward cyber-security and achieving many of the goals stated in the President’s National Strategy to Secure Cyberspace Some industry security experts state that the President’s National Strategy to Secure Cyberspace is a good first step but is insufficient. Bruce Schneier stated that “The National Strategy to Secure Cyberspace hasn’t secured anything yet.” However, the President’s National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem. Yet, companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions.

Proposed regulation

The U.S. Congress has proposed numerous bills that expand upon cyber-security regulation. The Consumer Data Security and Notification Act amends the Gramm-Leach-Bliley Act to require disclosure of security breaches by financial institutions. Congressmen have also proposed “expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card.” Congress has proposed cyber-security regulations similar to California’s Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers “ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals.”

In addition to requiring companies to improve cyber-security, Congress is also considering bills that criminalize cyber-attacks. The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) is a bill of this type. This bill which focuses on phishing and spyware bill that was passed on May 23, 2005 in the United States House of Representatives and is currently in committee in the Senate. This bill “makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect of induce the owner to disclose personally identifiable information, install unsolicited software, and tamper with security, anti-spyware, or anti-virus software.”

Pro-regulation opinions

While experts agree that cyber-security improvements are necessary, there is disagreement about whether the solution is more government regulation or more private-sector innovation. Many government officials and cyber-security experts believe that the private-sector has failed to solve the cyber-security problem and that regulation is needed. Richard Clarke states that, “Industry only responds when you threaten regulation. If industry doesn’t respond [to the threat], you have to follow through.” He believes that software companies must be forced to produce more secure programs. Bruce Schneier also supports regulation that encourages software companies to write more secure code through economic incentives. U. S. Rep. Rick Boucher (D-VA) proposes improving cyber-security by making software companies liable for security flaws in their code. In addition, to improving software security, Clarke believes that certain industries, such as utilities and ISPs, require regulation.

Anti-regulation opinions

On the other hand, many private-sector executives believe that more regulation will restrict their ability to improve cyber-security. Harris Miller, president of the Information Technology Association of America, believes that regulation inhibits innovation.^[31] Rick White, President and CEO of TechNet, also opposes more regulation. He states that, “The private-sector must continue to be able to innovate and adapt in response to new attack methods in cyber space, and toward that end, we commend President Bush and the Congress for exercising regulatory restraint.”^[32] Another reason many private-sector executives oppose regulation is because it is costly. Firms are just as concerned about regulation reducing profits as they are about regulation limiting their flexibility to solve the cyber-security problem efficiently.

Organizational Systems Security Analyst

The Organizational Systems Security Analyst (OSSA) is a technical vendor-neutral Information Security certification programme which is being offered in Asia. This programme consists of a specialized information security training and certification course and practical examination which technical Information Technology professionals can attend in order to become skilled and effective technical Information Security professionals and to prove their level of competence and skill by undergoing the examination.

Technical staff enrolling in the programme are taught and trained how to address the technical security issues they encounter in daily operations and how to methodically establish, operate and maintain security for their organization's computer network and computer systems infrastructure. It is developed by ThinkSECURE, an Information Security certification body and consultancy, and has been granted the "ISECOM-Approved" seal by the Institute for Security and Open Methodologies (ISECOM), an international security institution.

The OSSA programme does not focus on hacker's software as these quickly become obsolete as software patches are released. It first looks at security from a methodological perspective and draws lessons from Sun Tzu's "Art of War" to generate a security framework and then populate it with resources and tools by which the various security aims and objectives, such as "how to defend your server against a hacker's attacks" can be met.

Sun Tzu's 'Art of War' treatise is used to provide a guiding philosophy throughout the programme, addressing both offensive threats and the defensive measures needed to overcome them. The philosophy also extends to the sections on incident response methodology (i.e. how to respond to security breaches), computer forensics and the impact of law on security-related activities such as the recovery of information from a computer crime suspect's hard drive. Under the programme, students are given coursework and experience how to set up and maintain a complete enterprise-class security monitoring and defence infrastructure which includes firewalls, network intrusion detection systems, file-integrity checkers, honeypots and encryption. A unique attacker's methodology is also introduced to assist the technical staff with identifying the modus operandi of an attacker and his arsenal.

The generic title sections under the programme appear to comprise the following:

• What is Information Security
• Network 101
• Defending your Turf & Security Policy Formulation
• Defensive Tools & Lockdown
• The 5E Attacker Methodology: Attacker Methods & Exploits
• Wireless (In)Security
• Incident Response & Computer Forensics
• The Impact Of Law

Under each section are many modules, for example the defensive section covers the setting up of firewalls, NIDS, HIDS, honeypots, cryptographic software, etc.

The OSSA programme consists of both practical hands-on lab-based coursework and a practical hands-on lab-based certification examination. According to the ThinkSECURE website, the rationale for this is that only those who prove they can apply their skills and knowledge to a completely new and unknown exam setup will get certified and those who only know how to do exam-cramming by memorizing facts and figures and visiting brain dump sites will not be able to get certified. Compared to non-practical multiple-choice-question exam formats, this method of examination is beneficial for the Information Security industry and employers as a whole because it provides the following benefits:

• makes sure only candidates who can prove ability to apply skills in a practical examination are certified.
• stops brain-dumpers from attaining and devaluing the certification as a basis of competency evaluation.
• protects people's and companies' money and time investment in getting certified.
• helps employers identify technical staff who are more skilled.
• provides the industry with a pool of competent, qualified technical staff.

Computer security

• Computer security is an application of information security to both theoretical and actual computer systems. For sake of simplicity, issues regarding privacy should be handled under the subject of information privacy rights. For the purpose of this article, Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers. The definition of 'secure' varies by application, and is typically defined implicitly or explicitly by a security policy that addresses confidentiality, integrity and availability (see CIA Triad)of electronic information that is processed by or stored on computer systems.

  The traditional approach is to create a trusted security kernel that exploits special-purpose hardware mechanisms in the microprocessor to constrain the operating system and the application programs to conform to the security policy. These systems can isolate processes and data to specificer domains and restrict access and privileges of users. This approach avoids trusting most of the operating system and applicationes.

  In addition to restricting actions to a secure subset, a secure system should still permit authorized users to carry out legitimate and useful tasks. It might be possible to secure a computer against misuse using extreme measures:

  “

  The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

  ”

  Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security. [1]

  It is important to distinguish the techniques used to increase a system's security from the issue of that system's security status. In particular, systems which contain fundamental flaws^[1] in their security designs cannot be made secure without compromising their usability.^{[citation needed]} Most computer systems cannot be made secure even after the application of extensive "computer security" measures. Furthermore, if they are made secure, functionality and ease of use often decreases.

  Computer security can also be seen as a subfield of security engineering, which looks at broader security issues in addition to computer security.

  Secure operating systems

  One use of the term computer security refers to technology to implement a secure operating system. Much of this technology is based on science developed in the 1980s and used to produce what may be some of the most impenetrable operating systems ever. Though still valid, the technology is almost inactive today, perhaps because it is complex or not widely understood. Such ultra-strong secure operating systems are based on operating system kernel technology that can guarantee that certain security policies are absolutely enforced in an operating environment. An example of such a Computer security policy is the Bell-LaPadula model. The strategy is based on a coupling of special microprocessor hardware features, often involving the memory management unit, to a special correctly implemented operating system kernel. This forms the foundation for a secure operating system which, if certain critical parts are designed and implemented correctly, can ensure the absolute impossibility of penetration by hostile elements. This capability is enabled because the configuration not only imposes a security policy, but in theory completely protects itself from corruption. Ordinary operating systems, on the other hand, lack the features that assure this maximal level of security. The design methodology to produce such secure systems is precise, deterministic and logical.

  Systems designed with such methodology represent the state of the art of computer security and the capability to produce them is not widely known. In sharp contrast to most kinds of software, they meet specifications with verifiable certainty comparable to specifications for size, weight and power. Secure operating systems designed this way are used primarily to protect national security information and military secrets. These are very powerful security tools and very few secure operating systems have been certified at the highest level (Orange Book A-1) to operate over the range of "Top Secret" to "unclassified" (including Honeywell SCOMP, USAF SACDIN, NSA Blacker and Boeing MLS LAN.) The assurance of security depends not only on the soundness of the design strategy, but also on the assurance of correctness of the implementation, and therefore there are degrees of security strength defined for COMPUSEC. The Common Criteria quantifies security strength of products in terms of two components, security capability (as Protection Profile) and assurance levels (as EAL levels.) None of these ultra-high assurance secure general purpose operating systems have been produced for decades or certified under the Common Criteria.

  Computer Security By Design

  The technologies of computer security are based on logic. There is no universal standard notion of what secure behavior is. "Security" is a concept that is unique to each situation. Security is extraneous to the function of a computer application, rather than ancillary to it, thus security necessarily imposes restrictions on the application's behavior.

  There are several approaches to security in computing, sometimes a combination of approaches is valid:

• Trust all the software to abide by a security policy but the software is not trustworthy (this is computer insecurity).
• Trust all the software to abide by a security policy and the software is validated as trustworthy (by tedious branch and path analysis for example).
• Trust no software but enforce a security policy with mechanisms that are not trustworthy (again this is computer insecurity).
• Trust no software but enforce a security policy with trustworthy mechanisms.

Many systems unintentionally result in the first possibility. Approaches one and three lead to failure. Since approach two is expensive and non-deterministic, its use is very limited. Because approach number four is often based on hardware mechanisms and avoid abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of approaches two and four are often used in a layered architecture with thin layers of two and thick layers of four.

There are myriad strategies and techniques used to design security systems. There are few, if any, effective strategies to enhance security after design.

One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest.

Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. This enables a closed form solution to security that works well when only a single well-characterized property can be isolated as critical, and that property is also assessable to math. Not surprisingly, it is impractical for generalized correctness, which probably cannot even be defined, much less proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing represent a best-effort approach to make modules secure.

The design should use "defense in depth", where more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds. Defense in depth works when the breaching of one security measure does not provide a platform to facilitate subverting another. Also, the cascading principle acknowledges that several low hurdles does not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism.

Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.

In addition, security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable. Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible.

Early History of Security By Design

The early Multics operating system was notable for its early emphasis on computer security by design, and Multics was possibly the very first operating system to be designed as a secure system from the ground up. In spite of this, Multics' security was broken, not once, but repeatedly. The strategy was known as 'penetrate and test' and has become widely known as a non-terminating process that fails to produce computer security. This led to further work on computer security that prefigured modern security engineering techniques producing closed form processes that terminate.

Secure Coding

If the operating environment is not based on a secure operating system capable of maintaining a domain for its own execution, and capable of protecting application code from malicious subversion, and capable of protecting the system from subverted code, then high degrees of security are understandably not possible. While such secure operating systems are possible and have been implemented, most commercial systems fall in a 'low security' category because they rely on features not supported by secure operating systems (like portability, et. al.). In low security operating environments, applications must be relied on to participate in their own protection. There are 'best effort' secure coding practices that can be followed to make an application more resistant to malicious subversion.

In commercial environments, the majority of software subversion vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection.

Some common languages such as C and C++ are vulnerable to all of these defects (see Seacord, "Secure Coding in C and C++"). Other languages, such as Java, are more resistant to some of these defects, but are still prone to code/command injection and other software defects which facilitate subversion.

Recently another bad coding practise has come under scrutiny; dangling pointers. The first known exploit for this particular problem was presented in July 2007. Before this publication the problem was known but considered to be academic and not practically exploitable. ^[2]

In summary, 'secure coding' can provide significant payback in low security operating environments, and therefore worth the effort. Still there is no known way to provide a reliable degree of subversion resistance with any degree or combination of 'secure coding.'

Terms used in Computer Security

The following terms used in engineering secure systems are explained below.

• Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
• Thus simple microkernels can be written so that we can be sure they don't contain any bugs: eg EROS and Coyotos.

A bigger OS, capable of providing a standard API like POSIX, can be built on a microkernel using small API servers running as normal programs. If one of these API servers has a bug, the kernel and the other servers are not affected: e.g. Hurd.

• Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified.
• Strong authentication techniques can be used to ensure that communication end-points are who they say they are.

Secure cryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.

• Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.
• Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. For example, deleting a user account should also stop any processes that are running with that user's privileges.
• Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. The next sections discuss their use.

Some of the following items may belong to the computer insecurity article:

• Do not run an application with known security flaws. Either leave it turned off until it can be patched or otherwise fixed, or delete it and replace it with some other application. Publicly known flaws are the main entry used by worms to automatically break into a system and then spread to other systems connected to it. The security website Secunia provides a search tool for unpatched known flaws in popular products

• Backups are a way of securing information; they are another copy of all the important computer files kept in another location. These files are kept on hard disks, CD-Rs, CD-RWs, and tapes. Suggested locations for backups are a fireproof, waterproof, and heat proof safe, or in a separate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside bank vaults. There is also a fourth option, which involves using one of the file hosting services that backs up files over the Internet for both business and individuals.
  • Backups are also important for reasons other than security. Natural disasters, such as earthquakes, hurricanes, or tornadoes, may strike the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup at an alternate secure location, in case of such kind of disaster. The backup needs to be moved between the geographic sites in a secure manner, so as to prevent it from being stolen.
• Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).
• Firewalls are systems which help protect computers and computer networks from attack and subsequent intrusion by restricting the network traffic which can pass through them, based on a set of system administrator defined rules.
• Access authorization restricts access to a computer to group of users through the use of authentication systems. These systems can protect either the whole computer - such as through an interactive logon screen - or individual services, such as an FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems.
• Encryption is used to protect the message from the eyes of others. It can be done in several ways by switching the characters around, replacing characters with others, and even removing characters from the message. These have to be used in combination to make the encryption secure enough, that is to say, sufficiently difficult to crack. Public key encryption is a refined and practical way of doing encryption. It allows for example anyone to write a message for a list of recipients, and only those recipients will be able to read that message.
• Intrusion-detection systems can scan a network for people that are on the network but who should not be there or are doing things that they should not be doing, for example trying a lot of passwords to gain access to the network.
• Social engineering awareness - Keeping employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of the network and servers.

Capabilities vs. ACLs

Within computer systems, the two fundamental means of enforcing privilege separation are access control lists (ACLs) and capabilities. The semantics of ACLs have been proven to be insecure in many situations (e.g., Confused deputy problem). It has also been shown that ACL's promise of giving access to an object to only one person can never be guaranteed in practice. Both of these problems are resolved by capabilities. This does not mean practical flaws exist in all ACL-based systems — only that the designers of certain utilities must take responsibility to ensure that they do not introduce flaws.

Unfortunately, for various historical reasons, capabilities have been mostly restricted to research operating systems and commercial OSs still use ACLs. Capabilities can, however, also be implemented at the language level, leading to a style of programming that is essentially a refinement of standard object-oriented design. An open source project in the area is the E language.

First the Plessey System 250 and then Cambridge CAP computer demonstrated the use of capabilities, both in hardware and software, in the 1970s, so this technology is hardly new. A reason for the lack of adoption of capabilities may be that ACLs appeared to offer a 'quick fix' for security without pervasive redesign of the operating system and hardware.

The most secure computers are those not connected to the Internet and shielded from any interference. In the real world, the most security comes from operating systems where security is not an add-on, such as OS/400 from IBM. This almost never shows up in lists of vulnerabilities for good reason. Years may elapse between one problem needing remediation and the next.

A good example of a secure system is EROS. But see also the article on secure operating systems. TrustedBSD is an example of an open source project with a goal, among other things, of building capability functionality into the FreeBSD operating system. Much of the work is already done.