Security and Human Behavior (SHB) 2021

Today is the second day of the fourteenth Workshop on Security and Human Behavior. The University of Cambridge is the host, but we’re all on Zoom.

SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The forty or so attendees include psychologists, economists, computer security researchers, sociologists, political scientists, criminologists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

Our goal is always to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to six to eight minutes, with the rest of the time for open discussion. The format translates well to Zoom, and we’re using random breakouts for the breaks between sessions.

I always find this workshop to be the most intellectually stimulating two days of my professional year. It influences my thinking in different, and sometimes surprising, ways.

This year’s schedule is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks.

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, and thirteenth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops. Ross also maintains a good webpage of psychology and security resources.

Posted on June 4, 2021 at 6:05 AM16 Comments

Comments

echo June 4, 2021 10:34 AM

SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The forty or so attendees include psychologists, economists, computer security researchers, sociologists, political scientists, criminologists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

One of the items I discussed with a lawyer the other week is a particular problem which arises in court cases and which I have mentioned in a previous post. Many lawyers will know exactly what I am talking about. I have obtained some extra evidence and also a very useful EHRC judgment which fits in here somewhwere but to get back to what I wanted to mention is that I pointed out a range of other expertise we could draw on which would help with attacking the central problem. The partial list I rattled off the top of my head was a little different but basically this.

The essence is there is a human rights case I am pursuing and it is surrounded by a fortress built up by the state and state agencies and actors. If I play the game in a nod along way the case is lost before I walk in the door. It’s a known known the case cuts across multiple disciplines and this is where lawyers begin to trip up. Specialities want everything their own way and don’t communicate and one side doesn’t know anything about the other. This is why case management is important from step one.

It’s actually more useful to me to have a lawyer in completely the wrong speciality to begin with so they can focus on the basics of lawyering and legal practice. I also need practice management keeping their nose out because they can be interfering. Lastly I need a lawyer who “gets it”. Nobody wants to know how long it took me to find the right lawyer and that was only by sheer persistance and kicking up a stink and blind chance.

I’m not Marcy Wheeler so nobody downs tools when I walk in the door. Yes, I do have a record of achievement with significant legal issues and yes I’m pretty sharp with spotting legal issues and even with the support of a Professor in the exact same narrow sphere of expertise this touched on (she actually got her PhD in it) I’ve had QC’s openly take the **** out of me and say I was talking nonsense. It actually concerned judicial rules and a data leak. The QC’s denied it but the Professor with a PhD in the topic said I was right and pointed out how. Why QC’s would want to continue behaving like overgrown schoolboys I don’t know but the legal profession does have an ego and sexism problem. But anyway, the work continues. That’s what’s keeping me occupied for the next few weeks.

I have discussed coming from a different starting point to lawyers and mentioned the creativity issue in passing. I had one lawyer try to tell me that’s all well and good not how law works. Another lawyer half got it. But it’s how I work. Lawyers and other “certified professionals” can have a silo mentality. They can be so deep into their rote learned and historically led speciality they can begin to miss things and miss connections and miss how layers and interactions involve multiple domains of reasoning. To wit, they are always fighting yestredays war by yesterdays rules. To do anything new or change things sometimes you just have to dream a little and that’s when the magic happens.

ADFGVX June 4, 2021 10:59 AM

@echo

psychologists, economists, computer security researchers, sociologists, political scientists, criminologists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others.

Certainly, and with all due respect, I cannot find fault with our host for attending such a notable workshop or conference in the area of “security” — it would probably be remiss on that part not to do so — but at the same time, the psychiatrists and lobotomists do need to be escorted off the property in handcuffs, transported to Leavenworth in unmarked vans, and held to answer at court-martial for their war crimes and human rights violations, and the New World Order elites do need to be ceased and desisted among other civil matters from “smattering” others and thereby destroying the names and working careers of God’s elect as trolls, misfits, social undesirables, “mental defectives,” or other pejoratives.

who? me? June 4, 2021 1:33 PM

“Disoriented and alone in the ‘experience machine'”

That is the best summation of my life I have ever read: pithy and to the point.

vas pup June 4, 2021 3:17 PM

“Bob Axelrod’s topic is vengeance and cyber conflict. Vengeance is a powerful force; it is pervasive in international affairs. The A-bomb was in part vengeance for Pearl Harbor. What evokes vengeance? An attack that’s unprovoked, unprecedented, sneaky, cowardly in the sense of not allowing direct retaliation or being anonymous, or done without warning. These are all, or mostly, attributes of cyber attacks. Vengeance has not yet been taken seriously in the realm of cyber conflicts, but it should be.”

Yes, vengeance is the tool to deliver justice when government is not taking required actions to properly punish perpetrator(s).

“Judith Donath’s topic was “Trust or Verify?” Many of the technologies we’re creating are substitutes for trust; hitchhiking has been displaced by ridesharing based on apps, so the judgment of the rider and driver is partly replaced by that of an online service. Face-to-face trust establishment is an ancient part of being human; replacing it with overarching surveillance may be convenient for taxi drivers (whose profession was historically one of the most dangerous) but can cause deep collateral damage. The less we evaluate others, the less good we may become at it. At the same time, we need to think about what trust should ideally be in a diverse, technological society. Affective trust establishment is problematic as it often depends on similarity; as diversity increases we might better aim at using tech to bootstrap a wider range of trust ties with others.”

See link related (deleted by BBC, but still on DW)

https://www.dw.com/en/opinion-spying-among-friends-sadly-its-the-norm/a-57735191

David Rudling June 4, 2021 3:39 PM

@Bruce
Your own paper was fascinating and I look forward to your 2022 book.

echo June 4, 2021 4:52 PM

@Vas pup

Glancing at the title I thought I had read this before. The BBC pinched it off The Conversation.

https://theconversation.com/to-what-extent-are-we-ruled-by-unconscious-forces-161216

This article is a bit hazy but it slots into a few things relevant to some of the case work I need to write up. It involves decisions which cover multiple domains as alluded to by the topic and is directly relevant to ECHR/ECJ jurisprudence. This can get quite technical but is way to get within the OODA loop of some state human rights abuses and professional secrecy. Some people are quite good with covering up “irrational decisions” and rarely challenged.

https://theconversation.com/superforecasters-what-pandemic-planners-can-learn-from-the-worlds-best-predictors-161646

Research has also shown that accuracy improves when we keep track of our past performance – but the kind of feedback matters. Did outcomes you thought would happen 20% of the time actually happen 20% of the time? What about outcomes you thought would happen 90% of the time? Performance improves for those who receive this kind of information.

This article as a whole is a bit of a red herring. What interests me more isn’t so called superforecasters but people who have an intuitive ability to unconciously perceive the future via their work being six months or more ahead of where the current general understanding is. There’s also the issue of what you might call random guesses and marking your own homework with repect to politically subjective decisions versus clarity of perception and quality of decision due to continuous improvement.

You may note the two topics clash somewhat.

Weather June 4, 2021 4:57 PM

@bruce
Thanks for the read, is Ai, computers are serial humans are parrellel, there’s still a way for humans to hack back.

Clive Robinson June 4, 2021 9:10 PM

@ Weather,

computers are serial humans are parrellel

They are both, both…

It depends what level you look at.

The formation of RNA or DNA is a serial process, but spread across almost uncountable numbers of cells.

The worlds largest man made machine is still the communications network with serial communications happening across almost uncountable circuits.

You look at the Universe closely enough it’s granular and everything happens in discrete steps one after the other, but in an immensity that though finite is beyond counting. Each event effecting others both near and far. We still hear the electromagnetic sound of the big bang in the cosmic microwave backround uncountable years[1] after it happened.

Whilst programmers mostly think in terms of sequential events, these can run as multiple threads on a CPU core, with multiple cores on a chip, with multiple chips on a motherboard and multiple boards in a computing node that forms part of a super computer that forms part of a network of super computers. Some jobs though increadibly simple need billions of calculations done in parallel that all interact with each other. Even if not super computers think SETI@Home and similar projects.

Or of ants and bees scurying around their nests and hives each Worker insect performing serial tasks in parallel with the others…

It’s over due time that programmers “get with the program” and that means their future is parallel with a rather large P.

[1] OK 13.77billion is not that big a number in the grand scheme of things, but a humans lot is “three score years and ten” or seventy years. Which is 25567 days if you count at one number a second for 12 hours a day that’s only 1.1 billion you would count up to.

Weather June 4, 2021 11:18 PM

@clive
I see what you mean, but energy scale wise the human brain to a CPU would be a nuclear reactor.
If you do a repitive task 5000 times it gets stored in the reptilian part of the brain at the back of the head below the meginlan. I did a self learning test were I created a alphabet at made tones for each letter as they flash across the screen, without seeing I know which letter to sound was at 1.7 kHz in my early 30s.
If you think with the front of the brain, its slow but accurate based on memory’s, some people use looking to the left to recall a memory not lie. The back of the brain is a lot quicker it controls Nevers heart beat, martial arts moves, driving, spoken word.

Yes woman can’t multi task, its smaller serial switching between processes, I’m trying to say the program might be small but the ram huge.

If you understand this, good otherwise bad day 😉

FA June 5, 2021 3:56 AM

@Clive

It’s over due time that programmers “get with the program” and that means their future is parallel with a rather large P.

Couldn’t agree more.

This reminds me of one episode which you didn’t mention in your history of ‘failed UK technology’ some weeks ago: the Inmos Transputer.

While the Transputer was not a parallel processor, it was designed to support any number of conceptually concurrent threads with essentially zero overhead. In addition to that you could easily combine any number of them in a network.
All of this was supported directly by the hardware and the instruction set, no OS required.

I developed Transputer based systems for some years, some of them using up to a hundred CPUs running tens of thousands of concurrent tasks. It was real fun and it certainly changed my view on programming in the sense that ‘thinking parallel’ became second nature.

echo June 5, 2021 7:06 AM

@FA

This reminds me of one episode which you didn’t mention in your history of ‘failed UK technology’ some weeks ago: the Inmos Transputer.

The UK government had a “buy American” and “market forces” attitude. The last big opportunity was the European car industry which ultimately bought American supercomputers running software designed to support the American car industry.

While mainland Europe continues to have a mass car industry the UK as we know no longer has one and the focus of government encoruagement had moved behind the defence industry and sacrificed this and everything else along the way.

Fast forward to today and the EU has put political emphasis on building up the European IT industry via their Horizons programme.

In the UK at least one local council has contracted Savill’s to supply services and software to assistwith planning decisions. This is the same Savils whose consultancy arm is not going to shoot down their estate agency arm.

Google have got peoples attention for having a biased index. While there is no proof this is the case I do not believe regulators have looked wide enough. They have focused too closely on the index and taken Google’s word for it. What they are missing are the wider attitudes and context in the entire web content market, US government regulatory and big business attitudes, and US internal makret culture and beliefs and priorities, and the sheer size of the US market as a whole compared to other markets. All of this needs to be investigated before a decision is made.

In the UK a state regulator made a very unwise decision within the past few months for similar reasons. Rather than use their complaint mechanism to pick up the pieces of the consequences of their decision this is being challenged with a judicial review.

Did the transputer fail? This could be aid but the failure perhaps wasn’t hardware or software but political. Pretty much every modern CPU uses the bus concepts to obtain higher performance now the patents have run out. Intel rebuffed a partnership. Intel then meddle with ARM. ARM then went on to what it is today then some bright spark from the school of “managed decline” decided to sell ARM before being snapped up by, tadah, the Americans.

Winter June 5, 2021 10:37 AM

@echo
“ARM then went on to what it is today then some bright spark from the school of “managed decline” decided to sell ARM before being snapped up by, tadah, the Americans.”

I see ARM becoming a pawn in USA technology politics if this really will go through (I understand there are still some regulatory hurdles).

The Chinese are already moving to RISC V. Sounds like a good strategy for all. IP is poison. Especially, as it always benefits the US, and if not, then the IP mysteriously becomes ineffective.

Ricky June 6, 2021 6:56 AM

Hi!
Technology develops more and more strongly, here, security is always concerned in all industries. The conference on this issue should provide a way to deal with this important issue.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.