Schneier on Security
A blog covering security and security technology.
« Making Security Cuddly |
| Friday Squid Blogging: Squid Fishing Lures »
May 9, 2008
Last month I gave a talk at InfoSecurity Europe in London. The title was "Reconceptualizing Security," or maybe "The Theater of Security," and it is a follow-on to my work on the psychology of security. I haven't yet written this work up, but you can listen to or watch my talk.
Posted on May 9, 2008 at 1:34 PM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I generally enjoyed watching your lecture. I would however like to comment on an unannounced change in approach made during the talk and also my thought that something was missing.
So first the change:
You first presented your framework of threat reality, feeling, and model as one of the threat, the limbic (or mid brain) response to that threat, and the attenuation of that response in the prefrontal cortex. All good. Then you switched to the concept of feeling being one of an old, "comfortable" model (my words, not yours) being equated with feeling and a "new" model being associated with intellectual attenuation. I don't disagree with the differing approaches but think you should have announced your change in "the diagram".
Now my thought on something being missing:
You didn't talk in any substantive way about the immediacy of a threat; be it a real threat or one cobbled up by an external actor attempting to elicit a predetermined response. The research in both cognitive (or evolutionary, for that mater) psychology and neural science has show that the more immediate the perception of a threat the less able we (humans) are able to attenuate our threat response. Simple and I think obvious. This fact has been used by all sorts of folks in applications ranging from marketing to the extraction of information from an adversary.
The threat of a bus bearing down on me as I enter a cross walk and my response to that threat is not easily manipulated by messing with my intellectual "model" of reality.
On the other hand the threat of dying from cancer is much less immediate and my response to that threat can be manipulated in subtle ways over a long period of time.
If I want you to tell me something I can hook up the wires and batteries and you will blurt out the truth with little or no attenuation.
Alternatively I can over a period of time manipulate you sense of right and wrong and/or manipulate your value system to make you want to tell me what I need to know (or buy my product). The first is fast and works a lot of the time but your enemy (or skeptic) remains an enemy. The second way is slow but I can almost always get what I need and in the end I have an a true believer in my version of reality.
It could be viewed like this: in the first case I sold you on the need to not feel the pain. In the second case I used targeted marketing to manipulate your perception of reality.
I would like to comment about your talk on security. But I don't feel secure enough to do so (who said paranoia was a bad thing?).
Funny, Bruce uses exactly the same sentences
and expressions he did in his talk a while ago
in Australia ... as if someone pressed replay.
Sorry, the last bit I wanted to say didn't make it when I pasted in the text. Here it is:
What I am trying to say as it relates to the current discussion on security is:
1) We were sold on the idea of giving up certain things in the interest of security in days following 9/11 and then subjected to a long period of having our perception of reality manipulated to maintain the perception of imminent threat.
2) We now know this (right?), but continue to, by and large, buy into the "perception" of imminent danger.
Even as this is has been shown to be in based only in fantasy as compared to the true reality of our individual security and the threat models and modes as they exist in the real world.
Are the powers that be that good? Have they really made the population willing co-conspirators in this manipulation of reality? What does this mean as we as a nation move to unwind the policies of the current authorities moving forward?
>someone pressed replay.
You're onto the secret. Bruce has built robotic replicas of himself for mundane tasks, like to give lectures and post to blogs, so he's free to play "find the prime number" with his little ones.
> We now know this (right?), but
> continue to ... buy into the "perception"
> of imminent danger.
I think the "we" who knows and the "we" who buys are different groups altogether.
Your right. I think I should have been more precise in my wording.
It would appear that reality needs a PR firm...
when is the pantomime version being released?
i would make the trip to london for that, especially if you get patrick stewart to play a part.
I enjoyed the talk, and it's good to see how these ideas are evolving from _Beyond_Fear_. Three comments:
a) Metrics are often agenda-oriented, and the selection of metrics is a very common example of preferring data that matches one's model to data that matches reality. The TSA measures the number of items intercepted, and interprets more=good. Given that they are virtually all Type I errors, the measure is really the number of mistakes they make per day, more=bad. Their agenda favors "liquid bottles eliminated" as a metric rather than "dangerous liquid bottles eliminated" as a result.
b) Singular events are less data than common events, and they have a standard deviation of zero, so they seem easier to understand. Moreover, even analysts with good data slant it to their agenda. If you doctor wants to lower your cholesterol he says "Folks with high cholesterol are 3.5 times more likely to have a heart attack than those with normal cholesterol" rather than
"Folks with high cholesterol have a 0.7% chance per year of having a heart attack, and that is 0.5% more than those with normal cholesterol." I just can't get behind almost all metrics that I see published, the facts just aren't there.
c) Do you think computer security can have a good degree of overlap? To get the model close to reality, you suggest users need more information. Yet everyone in the industry, from the vulnerability causers to the anti-vulnerability product salesmen, want to spread dis-information. It is not the case that over enough time we get it right. Darwin's theory of evolution was new in 1900, a big dispute in 1925, in all the science text books of 1960, and the topic of increasing debate today. If 120 years isn't long enough for a model with lots of validation data, things can look bleak. Medical models only have to be adopted by the small number of folks with a license to practice medicine. Computer models might need to be understood by everybody with a computer. That's a much larger, and much less informed, population.
theory of the big lie.
repeat the lie on all mass media daily. have agitators abuse and out shout the opposition, till most people will just be silent and go along with the manipulation. those who stand and shout the truth will be few and eventually they will be trampled by a herd that has no interest in the truth, but are in denial and self deception, committed to cognative dissonance.
Reichstag fire is a good place to start.
It was funny to see Bruce being pulled up by the Security Guardess (if there is such a word) as he just waltzed into the auditorium before the talk. Security does work then!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.