In order to talk about security, it is probably useful and easier to first discuss threats and attacks. An attack is an event that causes reputational or financial harm. A threat is an event that has a positive probability of causing an attack. Of course it is difficult to compute such a probability, and the extent of harm is difficult to measure. Different people may measure or evaluate things differently. If an individual or a company wants protection against threats, this protection can take many forms.
Physical security consists of locks, cameras, alarms, guards, detectives, etc. This is the first line of defense even when the potential attacks are against computers. Computer security consists of hardware and software products that protect against computer based threats, which can be both hardware and software based. Such protection, as we shall see in this blog, is neither perfect nor cheap. “The” question, “Is it worth it?”, is very difficult to answer. Some people and some companies, “security consultants”, make a very good living helping others answer this question. Vendors of security products also provide such advice, either in their sales pitch or in their service offerings. Posts on security here should be helpful if you are responsible for answering “the” question.