Feb 4, 2013 | Article, Michael Lawrence

The Castillo de San Felipe de Barajas in Cartagena is the largest and strongest fortress the Spanish ever built in their colonies. Constructed between 1639 and 1657, then expanding considerably in 1762, the fort defended the “gateway to the new world” from multiple attacks and was never taken. The strategies employed to make the fortress impregnable help delineate three different approaches to security: prevention, protection, and resilience.

Well before any enemy neared the fortress, a fleet of Spanish ships patrolling in concentric “rings of defence” would deter or disrupt its approach, preventing any threat to the fortress. Should the enemy fight through these rings, its high, thick walls would protect it from cannon fire and ground assault, while a series of batteries and parapets arranged to cover one another could eliminate attackers. Perhaps the most interesting feature of the fortress, however, is its complex labyrinth of tunnels deep in its interior. If attackers ever did manage to take the fort, its defenders would retreat into this maze, regroup, and re-take the fortress from within.

While not a perfect analogy, these different layers of defence illustrate three distinct approaches to security.  One security approach is to prevent a threat from arising in the first place, especially by addressing its underlying causes. When the threat cannot be prevented, security as protection aims to defend against, if not eliminate, the threat. But if we cannot fully protect ourselves from the threat, security as resilience considers our ability to “bounce back” and alter the ways in which it affects our social systems — our ability to adapt to threats that actually strike us (1).

The key factor that discerns the three approaches is what they target: the root causes of threats, the threats themselves, or the characteristics of the referent that is threatened. But the three approaches can also be distinguished in a number of other ways, as outlined in the table below.

Security Approach: Security as Prevention Security as Control (Protection) Security as Resilience
Definition This approach seeks to prevent threats from arising in the first place by addressing the underlying causes that generate them before they emerge. This approach seeks to control, defend against, or eliminate a manifest threat. When threats cannot be controlled or eliminated, security as resilience focuses on the ability of social systems to “bounce back” and recover from shocks. It concerns the flexibility and adaptability of societies, their rigidities, and how they can reduce their vulnerability to disruption and collapse.
Focus/Target of the Approach The underlying causes of threats The threats themselves The threatened, particularly the ability of the threatened referent to recover or adapt to threats.
Ontology Threats are generated from the combination of broad underlying structural causes, and proximate causes that mobilize these foundations into concrete threats. A Newtonian-mechanistic universe of relatively simple and predictable causation with a manageable amount of variables. Problems can be reduced to their component parts and isolated. A complex universe composed of too many variables to measure, emergent properties, non-linear causation, phase-shifts, low predictability, and unforeseen shocks. Threats emerge from the interactions of a multitude of variables, and are not reducible to particular parts.
Threat Type



Best suited to threats that have significant and necessary root causes, such as economic inequality, relative deprivation, bad governance, and political exclusion as root causes of civil war. Best suited to threats that can be reduced to particular actors, organizations, and events, which can then be protected against or eliminated, such as a rival state building a nuclear program, or a conventional military threat. Best suited to threats that are complex adaptive systems that can self-organize (not reducible to particular actors) and adapt to defensive measures while evading elimination, such as the drug trade confounding four decades of the war on drugs
Example & Approach: The Drug Trade Demand reduction. The drug war identifies key drug lords and organizations and attacks them through military means with the ultimate goal of eliminating the drug trade through force; crop eradication; drug interdiction. Harm reduction measures that lessen the impacts of drug use; decriminalization of some drugs to ease the enforcement burden; and enforcement measures that target only the most violent traffickers.
Example & Approach: Terrorism Addresses the grievances that compel terrorist action, as well as the social conditions that generate recruits. Drone strikes and other counter-terror measures identify and arrest or assassinate terrorist leaders, while intelligence and enforcement measures disrupt existing terrorist plots. Ensuring that our social systems (trade, travel, communications, energy, etc.) can bounce back from an attack through decoupling, contingency planning, and redundancy; ensuring that heightened security measures to not overburden social systems with complexity, disruptions, resource requirements, and rigidities.


Michael Lawrence is an Associate for the Security Governance Group.


[1] The Castillo de San Felipe de Barajas remains an imperfect analogy because the rings of defense do not exactly target underlying causes, and while the defenders do “bounce back“ from the interior tunnels, this does not quite constitute adaptation to an ongoing threat.