It's fun to just sit and talk with people, never know what you'll learn or be forced to rethink based on a different view point. During a recent conversation somehow we got around to security and went beyond the normal IT stuff to security in the real world. I mentioned that I take routine precautions as part of daily life; my front door is always locked and I lock car doors when I drive. My friend was astounded, he never locks his front door (and thus remains nameless here), which in turn astounded me. Why wouldn't you take a simple precaution?

Being security minded means that you are willing to invest some time and effort to protect against something that could happen, but isn't likely to happen. I work in an office with one other person that I definitely trust, but when I walk away from my desk my PC is locked. Why? If he goes out to lunch, gets distracted, etc, I don't want my machine exposed. I definitely don't want to leave my machine unlocked at night when the cleaning crew is in, so rather than special case locking, I just do it all the time.

A lot of people pooh pooh the idea of things like door locks because they won't stop someone that is determined. True enough. But it's a little more complicated than that. Most criminals look for easy scores. If the bad teenager across the street realizes you don't lock your door, they are a lot more likely to venture over when they see you leave to see what they can find. Not likely you say? Let's say a determined person decides to do a home invasion, if they have to break the front door while you're gone it increases the chances that someone else will notice and call for help. If it happens when you're home, it gives you a precious few seconds that can determine whether you or the invader is about to have a very bad day.

Do a few seconds matter? At worst you have time to dial 911 or hit the panic button. If you've absorbed the ideas of defense in depth you may well gain some additional time that lets you make the fight or flight decision. I don't live in a fortress and I'd just as soon never have to react to a bad situation, but I do what I reasonably can to mitigate risks. We can't eliminate risks, only try to mitigate them. Whether you're protecting your home or your database, you should do the things you can do.

Is it preparation or paranoia? Does having to lock your front door imply that something bad might happen and that in turn generates stress? Is it about time, the time it takes to lock/unlock the door a couple times a day?

Remember that as much as possible security should be hidden. It's fine to let visitors to your office see the lock on the server room door, but don't tell them what you do (or don't) for encryption or your plan for offsite backup. Sure they might be able to figure it out one way or the other, but don't make it easy for them. Equally if you implement layers of defense for physical security, you want one or two that are hidden (and not published in your blog!).

Are you doing the things you can reasonably do?

Of course, I think it depends on your point of view. If you reasonably see there is no (or close to zero) risk, then maybe you can defend taking fewer precautions?