Page scope, when you want to limit the scope of the variable to the current
JSP page.
Request scope, when you want to sure the variable with all resources used to process a request (
servlet and JSP).
Session scope, when you want to retain values across requests for a single user and browser.
Application scope, when you want all resources in the application to be able to access the variable for the lifetime of the web app.
There are no security implications -- scope is all about what the variable is shared with and how long it lives.