Schneier Talks
Last month I gave a talk at InfoSecurity Europe in London. The title was “Reconceptualizing Security,” or maybe “The Theater of Security,” and it is a follow-on to my work on the psychology of security. I haven’t yet written this work up, but you can listen to or watch my talk.
John • May 9, 2008 3:41 PM
I generally enjoyed watching your lecture. I would however like to comment on an unannounced change in approach made during the talk and also my thought that something was missing.
So first the change:
You first presented your framework of threat reality, feeling, and model as one of the threat, the limbic (or mid brain) response to that threat, and the attenuation of that response in the prefrontal cortex. All good. Then you switched to the concept of feeling being one of an old, “comfortable” model (my words, not yours) being equated with feeling and a “new” model being associated with intellectual attenuation. I don’t disagree with the differing approaches but think you should have announced your change in “the diagram”.
Now my thought on something being missing:
You didn’t talk in any substantive way about the immediacy of a threat; be it a real threat or one cobbled up by an external actor attempting to elicit a predetermined response. The research in both cognitive (or evolutionary, for that mater) psychology and neural science has show that the more immediate the perception of a threat the less able we (humans) are able to attenuate our threat response. Simple and I think obvious. This fact has been used by all sorts of folks in applications ranging from marketing to the extraction of information from an adversary.
The threat of a bus bearing down on me as I enter a cross walk and my response to that threat is not easily manipulated by messing with my intellectual “model” of reality.
On the other hand the threat of dying from cancer is much less immediate and my response to that threat can be manipulated in subtle ways over a long period of time.
Example:
If I want you to tell me something I can hook up the wires and batteries and you will blurt out the truth with little or no attenuation.
Alternatively I can over a period of time manipulate you sense of right and wrong and/or manipulate your value system to make you want to tell me what I need to know (or buy my product). The first is fast and works a lot of the time but your enemy (or skeptic) remains an enemy. The second way is slow but I can almost always get what I need and in the end I have an a true believer in my version of reality.
It could be viewed like this: in the first case I sold you on the need to not feel the pain. In the second case I used targeted marketing to manipulate your perception of reality.