Schneier on Security

A blog covering security and security technology.

« Top Ten Anti-Terrorism Patents | Main | Pentagon Consulting Social Scientists on Security »

June 30, 2008

Security and Human Behavior

I'm writing from the First Interdisciplinary Workshop on Security and Human Behavior (SHB 08).

Security is both a feeling and a reality, and they're different. There are several different research communities: technologists who study security systems, and psychologists who study people, not to mention economists, anthropologists and others. Increasingly these worlds are colliding.
Security design is by nature psychological, yet many systems ignore this, and cognitive biases lead people to misjudge risk. For example, a key in the corner of a web browser makes people feel more secure than they actually are, while people feel far less secure flying than they actually are. These biases are exploited by various attackers.

Security problems relate to risk and uncertainty, and the way we react to them. Cognitive and perception biases affect the way we deal with risk, and therefore the way we understand security—whether that is the security of a nation, of an information system, or of one's personal information.

Many real attacks on information systems exploit psychology more than technology. Phishing attacks trick people into logging on to websites that appear genuine but actually steal passwords. Technical measures can stop some phishing tactics, but stopping users from making bad decisions is much harder. Deception-based attacks are now the greatest threat to online
security.

In order to be effective, security must be usable—not just by geeks, but by ordinary people. Research into usable security invariably has a psychological component.

Terrorism is perceived to be a major threat to society. Yet the actual damage done by terrorist attacks is dwarfed by the secondary effects as target societies overreact. There are many topics here, from the manipulation of risk perception to the anthropology of religion.

There are basic research questions; for example, about the extent to which the use and detection of deception in social contexts may have helped drive human evolution.

The dialogue between researchers in security and in psychology is rapidly widening, bringing in more and more disciplines—from security usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other.

About a year ago Ross Anderson and I conceived this conference as a way to bring together computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others -- all of whom are studying the human side of security. I've read a lot -- and written some -- on psychology and security over the past few years, and have been continually amazed by some of the research that people outside my field have been doing on topics very relevant to my field. Ross and I both thought that bringing these diverse communities together would be fascinating to everyone. So we convinced behavioral economists Alessandro Acquisti and George Loewenstein to help us organize the workshop, invited the people we all have been reading, and also asked them who else to invite. The response was overwhelming. Almost everyone we wanted was able to attend, and the result was a 42-person conference with 35 speakers.

We're most of the way through the morning, and it's been even more fascinating than I expected. (Here's the agenda.) We've talked about detecting deception in people, organizational biases in making security decisions, building security "intuition" into Internet browsers, different techniques to prevent crime, complexity and failure, and the modeling of security feeling.

I had high hopes of liveblogging this event, but it's far too fascinating to spend time writing posts. If you want to read some of the more interesting papers written by the participants, this is a good page to start with.

I'll write more about the conference later.

EDITED TO ADD (6/30): Ross Anderson has a blog post, too. And I should add that this was an invitational event -- which is why you haven't heard about it before -- and that the room here at MIT is completely full.

EDITED TO ADD (7/1): Matt Blaze has posted audio. And Ross Anderson -- link above -- is posting paragraph-long summaries for each speaker.

EDITED TO ADD (7/6): Photos of the speakers.

EDITED TO ADD (7/7): MSNBC article on the workshop. And L. Jean Camp's notes.

Posted on June 30, 2008 at 11:17 AM • 16 Comments • View Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Pity me, I feel insecure now being left out, and not invited. :) Perhaps I just need more security?!
Keep up the good blog.

Posted by: 2BeeLeftOut at June 30, 2008 11:28 AM

Will there be and video of any of the sessions? Audio? Transcript? Anything?

Posted by: Seer at June 30, 2008 12:04 PM

Remember, citizens....
we are determining your level of guilt now.

do not resist.

no one is innocent.

justice will be swift.

Posted by: Anonymous at June 30, 2008 12:29 PM

Detain everyone, and let God sort out the innocent from the guilty.

Posted by: Cronan at June 30, 2008 12:45 PM

Wow. Congratulations on putting that together.

Posted by: Petréa Mitchell at June 30, 2008 12:51 PM

Bah, no one is speaking about culture.

Posted by: Davi Ottenheimer at June 30, 2008 12:55 PM

I'll forward you our paper that was based on five years of 419 scam (AFF) research:

"False Voices: the Impact of Culture on Information Security"

Linguistic anthropology can help expose human susceptibility to fraud.

Posted by: Davi Ottenheimer at June 30, 2008 1:01 PM

Many people are taking notes and will be posting them after the event!

Posted by: Jean Camp at June 30, 2008 3:02 PM

Sounds fascinating. Let us know how it went.

Posted by: Cameraman at June 30, 2008 5:08 PM

I'm with Seer; any chance there will some video clips from the conference?

Posted by: beanman at June 30, 2008 5:15 PM

There's no video. However, I happened to bring a (soulless digital) audio recorder with me up to Cambridge and have been recording (most of) the sessions. I should have .mp3 files up on my web site tomorrow or Wednesday. Watch this space or my blog (www.crypto.com/blog).

Posted by: Matt Blaze at July 1, 2008 12:21 AM

Thanks for this post which makes me think (as to say it in english, I'm french); I will read the papers.
What you underligned with this crossed approach seems to be something "emerging" in society: a "new" interest from technology (and even hard sciences) to "sciences humaines" ( such as sociology, ethnology, etc and even litterature).

Posted by: Veronique at July 1, 2008 2:03 AM

Wow. My reading list just got a whole lot longer (despite the fact that I've actually read some of these already).

Great conference. I wish I could have been there.

Posted by: privacy wonkette at July 1, 2008 3:00 PM

> Terrorism is perceived to be a major threat to society
> Yet the actual damage done by terrorist attacks
> is dwarfed by the secondary effects as target societies
> overreact.

Yup. Sounds like the societal equivalent of an allergic response -- the immune system, which is supposed to protect you, overreacts.

Posted by: MattGinzton at July 2, 2008 12:49 PM

My photos of the event are now available at http://www.cl.cam.ac.uk/~fms27/shb-2008/
.

Posted by: Frank Stajano at July 6, 2008 4:49 AM

"People and Processes are more important than technology for information security" Was any study done on this? Can this be measured? Please direct me to useful URLs. Thanks!

Posted by: Ajay at September 22, 2008 7:07 AM