Bruce Schneier

 

Home

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

Computer Security Articles

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography and Computer Security Resources

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« The Ultimate Movie Plot Threat: Killer Asteroids | Main | Incompetence at the Border »

March 22, 2007

"Psychology of Security" Excerpt

My Wired.com column for today is an excerpt from my "Psychology of Security" essay.

Posted on March 22, 2007 at 7:20 AM6 CommentsView Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Link is broken; needs .html appended.

Posted by: Dave Aronson at March 22, 2007 7:57 AM

(Er, the link to the full essay, I mean.)

Posted by: Dave Aronson at March 22, 2007 7:58 AM

There was a similarly themed op-ed in the LA Times last July:
http://www.latimes.com/news/opinion/commentary/la-op-gilbert2jul02,0,7539379.story

Posted by: MD at March 22, 2007 3:32 PM

Good piece!

I would suggest however to read "And when those heuristics fail, our feeling of security diverges from the reality of security." as:
And when those heuristics fail - or are deliberately tampered with - our feeling of security diverges from the reality of security.

See for instance "Folk Devils and Moral Panics" of Stanley Cohen or Adam Curtis' documentary "The Power of Nightmares" (http://news.bbc.co.uk/1/hi/programmes/3755686.stm)

Posted by: alex at March 22, 2007 5:02 PM

Bruce,

I know it's a draft and I am being a bit picky but,

I personaly would avoid using a statment like,

"That screws up avaiability"

In quite a few parts of the world part of the expression will cause offence.

Your last two paragraphs in Representativeness caused me to whince...

In your Base Rate explination you say "even an accurate test" and go on to imply it is not accurate, ie that it can fail and that the rate of failier is significant if not greater than the actual occurance of what it is testing for. The test is either accurate or it is not, otherwise the test has probabilities and confidence levels.

Then when talking about the law of small numbers you use the analagy of a coin toss without stating it is a "fair coin" which in practice does not exist except as an ideal.

Oh and the bibliography, you have numerous duplicates the most obvious is the three mentions of Danial Gilbert's artical in the first page (for obvious reasons a three letter word makes it easy to spot even at a cursory glance).

All of that asside It was a good read, and an interesting starting point, I look forward to reading more in the near future.

Posted by: Clive Robinson at March 26, 2007 9:52 AM

The Wired.com link appears to be dead as well.

Posted by: GPE at March 27, 2007 10:24 AM

Post a comment



Real names aren't required, but please give us something to call you. Conversations among several people called "Anonymous" get too confusing.



E-mail is optional and will not be displayed on the site.


Remember Me?


Powered by Movable Type 3.36. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
whole site

Blog Home Page

Recent Entries

Comments

Archives

Support Blogger's Rights!
Syndication
RSS 1.0 (full text)
RSS 2.0 (excerpts)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more