Psychology and Security Resource Page

Ross Anderson has put together a great resource page on security and psychology:

At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The 'Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Conflict is also deeply tied up with social psychology and anthropology, while evolutionary explanations for the human religious impulse involve both trust and conflict. The dialogue between researchers in security and in psychology has thus been widening, bringing in people from usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. We believe that this new discipline will increasingly become one of the active contact points between computing and psychology -- an exchange that has hugely benefited both disciplines for over a generation.

Tags:

Posted on October 28, 2009 at 6:48 AM • 31 Comments

Comments

B. RealOctober 28, 2009 7:48 AM

Not only left more descendants, but were able to get others to raise their children for them, thus being able to "spread their seed" further than would otherwise be possible on their own labours. A fascinating read that discusses this (going back to pre-man) is "Beyond Choice" by Alexander Sanger.

clvrmnkyOctober 28, 2009 8:28 AM

This implies that the evolution of our intelligence had a direction.

How about intelligence gave us several advantages over time, some of which has been expressed as the ability to use the theory of mind to our individual and collective benefit?

By Crom, those psych folks love to place the cart before the horse.

Chris SOctober 28, 2009 10:10 AM

@clvrmnky: "This implies that the evolution of our intelligence had a direction."

Yes, it does. But that direction is only seen as a direction when looking back.

What you seem to be concerned about is that someone is saying that evolution was pursuing a goal of higher intelligence in order to manipulate others - that the proposed direction was somehow known to evolution before evolution started down that path.

I don't think that's what is being said here.

I would look it this way. If I put a marble in a bowl on one and let go, it's going to end up in the centre at the bottom. This is predictable - the marble will follow a clear direction, and in some sense, the marble is seeking a final goal.

But I'm pretty sure that neither the marble nor the bowl know this.

Back on topic, within the context of information security - the brains of both the users of systems and the attackers of systems **are part of that system**. Trying to understand the whole system and it's behaviour offers the opportunity to find systems that both offer better security and better usability for the users.

Clive RobinsonOctober 28, 2009 10:11 AM

The evolutionary argument I liked was why women can communicate better than men ;)

It goes something like this,

Men as hunters did not need to communicate via anything other than simple signs and vocal communications would alert prey to the danger.

Women being gatheres over large distances would need to be able more complex information about the location of resources to other women so that they could spread out efficiently to gather resources. But importantly they did not have a need for being quite...

The reason I like it is it is so simple it sounds like it must be true... But of course nothing in human evolution is simple ;)

The other argument about women and communication is the need for secrecy and decit,

In larger outposts of civalisation sharing becomes less advantageous to a person who gathers, simply because nature tends to spread the ripening of fruit seeds and nuts etc over a period of time.

There for if you know of a good location for nuts it is in your immediatly family interst not to let other families know but gather as much as you can without revealing the location to them.

B. RealOctober 28, 2009 11:23 AM

So, what you're saying is if you had the nuts in your family you were better off not revealing it because if you did the other families wouldn't want your nuts in their family?

ArclightOctober 28, 2009 11:29 AM

I'm glad to see someone collecting all of this in one place. I can't tell you how many times I've gone to speak with a customer about security, one with a real budget, who was willing to spend big money on the latest firewall, IDS, and all manner of other stuff.

When I point out that a bigger threat to their super-secret intellectual property might be in the form of the janitor having a key to the server room and CEOs office, they get a all quiet and change the subject. People don't like to feel the sense of vulnerability and violation that comes with knowing someone might break into your office, root though your dumpster, etc. The usual response is "Oh, I don't think anyone would do THAT..."

Arclight

Clive RobinsonOctober 28, 2009 11:52 AM

@ anonanona,

"Interesting. I suppose you mean clan or tribe rather than family."

Hmm it depends on your meaning of the words.

What I was getting at where close genetic relations -v- distant or non genetic relations in an area where people live.

A family is usually comprised of those at most three genetic steps away.

A tribe upto four or five genetic steps.

And a clan can be many genetic steps but with common acestry.

However a village or town can be comprised of geneticaly non related but co-operating people. The degree of co-operation depends on many things but the size of the setlment and the individuals interaction/standing within the community.

At some point co-operation turns into trade and thus into a market and market control.

Thus if you have a secret store of nuts the mear fact that is unknown to others increases their trade value.

Thus protecting the location of the source by secrecy becomes a guenuine advantage.

kashmarekOctober 28, 2009 11:54 AM

This says a load full:

"to use other monkeys better as tools"

So, it all started with monkeys?

It explains why businesses don't want intelligence in their monkeys.

Clive RobinsonOctober 28, 2009 12:05 PM

One thing that is noticable is the lack of papers about left-v-right brain behavioural types.

It is very noticable that engineers have a significant contigent of left handed people and tends to atract people with high functioning autisum. One charecteristic of which is their ability to live inside their own heads and strangely be better able to see risk in any given senario.

Whilst senior execs in large organisations and politicos tend to be strongly right handed, having a need to live in the heads of others (networking) and distinct psycopathic traits.

Invariably they are poor at recognising risk and develop stratagies to off load or off set it onto others.

The rest of the human race tends to fall between the two.

What is noticable is that many many (virtualy all) studies of the brain tend to exclude left handed people.

I once asked an aquaintance who worked in the field why this was at a social event. The response was,

"The trouble with you lefties is your brains are not wired up right".

Bryan FeirOctober 28, 2009 1:00 PM

@Clive Robinson:

I've been involved in left/right brain arguments before. My mother was probably initially left-handed but got trained right-handed; this leads to all sorts of interesting conflicts for her in that when golfing she drives right-handed but putts left-handed (since the putter is often symmetric), and when sighting a gun she holds the gun right-handed but sights with her left eye.

I find it interesting that your comment is different from the 'conventional wisdom' I'd heard, which was that left-handed/right-brained people tended to be artists and creative types, and right-handed/left-brained people tended to be logical thinkers. As I understand it, this is primarily due to the language facilities being on the left side of the brain, especially if you follow Dr. Michael Persinger's theory of consciousness being formed by the serialization of the brain's parallel operations through the language center.

In any case, I've always felt that the GOOD engineers tended to be bicameral: able to both see the big picture and be detail-oriented. Certainly if you want to do diagnostics work, it's almost a necessity.

HJohnOctober 28, 2009 1:09 PM

@: right-handed/left-brained, left-handed/right-brained
________

I'd give my right arm to be ambidextrous.

ShaneOctober 28, 2009 1:50 PM

@Clive

I'm curious to know what gives you such amazing insight into the reasoning and methodologies of prehistoric humans?

ShaneOctober 28, 2009 2:02 PM

@Clive

Also, "The rest of the human race tends to fall between the two."

This is true of any dividing characteristic you can name in individuals. Extreme A = blah; Extreme B = A different blah; everyone else falls in between.

No shit?

Perhaps hair color has a key role in the politician vs. engineer argument as well? Worth looking into, or at least talking about as though it has any relevance.

For the record, I'm a (possibly) very mild autistic person, very introverted and well more than capable of 'deep though'. Professionally, I am a software developer, independantly I am an artist / musician. I'm right handed.

Perhaps I missed the memo about who I was supposed to be??

In short, the left-brain-right-brain discussion amounts to mainly bullshit. Perhaps some 'interesting' statistical distributions, but its ability to describe humanity or categorize us has no more relevance than the color of their eyes might.

Remember, there are still an incredible number of people alive on this planet (ie - Catholic school children) who were forced to learn to use one hand vs. the other, no matter their natural inclination. It all goes back to nature vs. nuture. Speaking to one over the other is fallacious.

Clive RobinsonOctober 28, 2009 2:15 PM

@ Bryan Feir,

"I find it interesting that your comment is different from the 'conventional wisdom' I'd heard, which was that left-handed/right-brained people tended to be artists and creative types, and right-handed/left-brained people tended to be logical thinkers."

The first bit is bourn out in practice in that engineers and architects and others who design have a very high degree of left-handedness in their number in some places the inverse of that found in the general population.

However the argument about right-handedness and logical thought is not bourn out in practice, engineers and such are usually better at non verbal logic and reasoning than most others.

Which brings us onto,

"As I understand it, this is primarily due to the language facilities being on the left side of the brain, especially if you follow Dr. Michael Persinger's theory of consciousness being formed by the serialization of the brain's parallel operations through the language center."

Which is correct but you may be drawing the wrong conclusion from it.

Right handed people tend to think in words, which can make them "apear logical" in verbal or written argument based on the use of language.

However this does not make them logical in other senses of the word.

Think about how many "castle in the air" arguments the legal proffesion and politicians come up with that have no substance outside of the own brand of reasoning.

That is, their argument is about chasing the verbal squirles around in your head untill you accept their view point. In most cases the argument is highly selective and without real or suportable substance. As George Orwell made comment, it is aimed to have the same effect as spinning you around hence "spin".

Thus my comment about them living inside of other peoples heads.

You will see a number of politicaly orientated execs eapecialy in bueracratic organisations that spend most of their time running around "networking" what the are actually doing is re-enforcing the perception they wish to create in other peoples heads.

Invariably the actually achieve little and move on before any choices they have had to make actually achive anything good or bad.

They will then claim it as their good ground work if it succeds and blaim their successors if it fails.

And I'm sure most readers could come up with a list of people that they have had the misfortune to come into contact with that fit the above outline.

Clive RobinsonOctober 28, 2009 3:01 PM

@ Shane,

"I'm curious to know what gives you such amazing insight into the reasoning and methodologies of prehistoric humans?"

I could say economics being retrospectivly applied.

However it was pointed out to me in the late 80s by somebody in that field of research along with the fact that in reality humans have not realy evolved in certain respects for milenia and that similar traits where found in tribal communities that had had little or no contact with modern man.

Speaking of off the wall ideas anyone remember the "Naked Ape" and it's author the zoologist "Desmond J. Morris". I went to one of his lectures and he made an interesting point for people to think about.

"Meat eating is social" "vegitation eating is asocial"

He said that if you looked at people walking down the street you would much more frequently see groups of people eating "burgers, kebabs" and other meat based foods. However you rarely see groups of people walking around eating fruit.

He indicated that this may be due to the hunter group and kill feast becoming a social norm, where as eating whilst gathering was essentialy an individual activity not a social activity.

It makes for interesting thinking but I would advise against taking it to the point of saying "vegitarians are anti social" as there is as he pointed out no evidence for this with cooked fruit and vegtables.

Brandioch ConnerOctober 28, 2009 3:15 PM

Anyone can "prove" any behaviour is evolution based simply by choosing their examples to reflect that.

But the only real proof is prediction.

When they can predict specific behaviour IN THE INDIVIDUAL then they'll have made progress.

Clive RobinsonOctober 28, 2009 3:26 PM

@ Shane,

"In short, the left-brain-right-brain discussion amounts to mainly bullshit. Perhaps some 'interesting' statistical distributions, but its ability to describe humanity or categorize us has no more relevance than the color of their eyes might."

We actualy don't know if it is "bullshit" or not.

What we do know is that when carrying out experiments on human brain function left handed people are in the main quite deliberatly avoided or specificaly excluded.

Hence the comment,

"The trouble with you lefties is your brains are not wired up right"

When I asked somebody I know quite well who is involved with this sort of research why left handed people are excluded from such research. The truth behind the pun is that the few experiments under FMRI etc has shown major differences in brain activity between left and right handed people.

So yes there is a lot of "'interesting' statistical distributions" but no research as to why.

So we do not know if your "bullshit" viewpoint is valid or not from any meaningfull perspective.

With regards education and forcing right handedness on children. This was done to my father who was strongly left handed. The chosen method was to hit him across the knuckles of his left hand with a "yard rule" every time he used his left hand. The result was that the injuries left him with lasting physical trauma that gave rise to early onset arthritus in his left hand.

And the reason for this, well left handed people are considered "sinister", "gauch" and "cack handed" and even evil.

Both sinister and gauch mean left, and your "cack hand" that you cleaned your bottom with was the left hand as the majority of people had less use of it and thus did not use it for eating.

ShaneOctober 28, 2009 3:35 PM

"humans have not realy evolved in certain respects for milenia"

Obviously, otherwise we wouldn't be humans anymore. The only thing we've really done to advance ourselves since our last little genetic mutation was to start writing shit down.

Human evolution died giving birth to the industrial revolution. We're stuck fumbling around as clever, arrogant little chimps with more toys, less hair, an exponentially larger sense of entitlement, and an exponentially lower level of respect for our ecosystem.

Speaking of our species, the story of Icarus comes to mind...

ShaneOctober 28, 2009 3:59 PM

Clive, my brain is just as much the same as yours as it is different. Both physically and ethereally.

That you might light up a different subset of areas during an MRI while doing the same task is perhaps of some significance to neurologists, but it ultimately means nothing, especially from an evolutionary standpoint.

The key to my point here is 'the same task'. We both did it. How it happened internally is fun for attempting (but ultimately, so far, failing) to explain how our brains work, in all respects, but in the context with which you've mentioned it, the differences are meaningless at worst, pure speculation at best.

Brings to mind a study I read years ago, concerning people with a certain condition (I forget the name) in which they had nearly no physical brain matter, just a tiny little nub at the tip of their spinal column, but were still capable of functioning as normal people in society with an average intelligence and fairly decent memories. I don't believe science still has any answer whatsoever as to why this is even possible (correct me if I'm wrong).

Like I said, it might be interesting for neurologists, but it isn't to me, or most likely to the rest of the population. Attempting to separate the two seems to me akin to demonizing the 'leftys' in the first place. The only difference is in the internal methodologies, methodologies we don't understand (hence why I'm certain they leave out many of the leftys, since trying to map the brain out, and subsequently having no real idea WTF is going on in there, seems to me a very difficult task even when you *do have generalized similarities in brain activity for a given task). Since it's not as though the world has enough (or even any) understanding of how to somehow rewire the brain for efficiency, it means very little since, being of a 'certain hand' doesn't mean I'm incapable of anything, it just means that internally I *may* *possibly* go about solving particular problems differently *internally. Since I can't solve any problems with other people's brains, how they solve problems internally is of very little relevance to me, and if we both solve them correctly, it should be of zero relevance to any topics regarding life choices, vocation, morality, philosophy, capabilities, evolution, et friggin al.

The one thing we do know about the brain, is that the paths our neurons take are constantly changing, based on our biology, our experiences, and how we think.

Again, nature vs. nurture.

It also brings to mind the question of whether or not humans (or any form sentience) can truly hope to ever fully understand their internal consciousness / sentience.

My guess is no. So far I'm right.

Didn't Einstein once say that the same mind that created a problem cannot hope to solve it?

Didn't Alan Turing discuss a similar problem at length with regards to computers? It's been decades... sorry, guess my right-brain is too dumb to remember, haha.

ModeratorOctober 28, 2009 4:04 PM

This men-and-women discussion was barely on topic to begin with, and has turned into an excuse for people to post childish sexist jokes. I'm removing the jokes for now; do not post that kind of thing on this blog again.

As for the rest of that discussion, please either bring it around to security or drop it. If it continues to be more trouble than it's worth, I'll just delete the whole thing.

ShaneOctober 28, 2009 4:08 PM

@Moderator

Sexist jokes aside, aren't tangents and digressions on a blog intentional side-effects of posting thought-provoking entries?

I mean sheesh. This is a blog with comments enabled, I think that sans flame wars and spam, pretty much any discussion is good discussion :(

ModeratorOctober 28, 2009 6:18 PM

Shane,

Tangents are okay up to a point, but this is a security blog, not a general forum. Comments are enabled so that people can discuss security (and squid).

There are certainly places on the internet where you can post about anything you want, and those who like that kind of thing should have no trouble finding one. There are also some sites where you can't vary from the topic even a tiny bit -- a lot of science blogs are run like this. We try to be in the middle. I think the internet has room for all three approaches; that way people can choose. If all blogs were run according to your preferences, then those who prefer a less noisy discussion would have nowhere to go.

miwOctober 29, 2009 3:11 AM

It is somewhat disturbing to see the field of cryptography move to less exact sciences. There are enough hard problems in the field of IT security that need solutions. If the people that might actually tackle these problems shift their attention to "the role of humans in security" and related softer topics, the scientific field as a whole will suffer both by losing key resources (experts) and by a lower public perception. Sadly, this matches a trend in other exact sciences, where the experts move away from solving the hard unsolved problems. Perhaps the publicity generated by easier topics has something to do with that trend.

VincentOctober 29, 2009 4:45 AM

My contributions were neither sexist, nor jokes. Rather, they were terse observations that state the obvious to deflate a nonsense argument about empty value judgments arising from bunk "qualitative" research purposed toward validating what are not just sexist, but intellectually lazy and dishonest pseudoscientific claims. I'm sorry you laughed at the truth.

Clive RobinsonOctober 29, 2009 4:52 AM

@ Moderator,

My apologies for being the root cause of the diversion, it was not intended to be away from the subject but to more underlying issues.

My original intent was to highlight that the need for security is inherant in human beings, due to a need for secrecy to gain competative advantage, whilst still still being co-operative within a habitation beyond a close genetic size.

Further that the history of the arguments that have sofar been offered (in those areas of science that have offered them,) although simplisticaly appealing are either not proven or not correct.

As has been noted in the past the exceptions to rules (hypothoses) generaly moves human understanding forward.

Two such exceptions I have been told about are the Kalhari Bushmen and the Australian Aborigines. For differing reasons they did not have a need for secrecy in the way we do in our western society.

What is becoming clear that as much as mankind attempts to shape nature, nature also shapes mankind.

There are distinct differences in such things as eye sight, ability to control body temprature, tolerance to alcohol, shape of bones and many other examples that show that different human cultures are evolving seperatly in response to their environment.

It would be unreasonable to expect that where there is evidence of physical evolution to the environment in less than 10,000 years, that there has not been consiquent changes in the structure of the brain in response to the environment.

In fact there is a growing body of evidence that sugests that even the language spoken has evolutionary effects on humans (for instance pitch perfect ratios with language).

Therefore it might be that other factors in society are likewise causing definate evolution in humans. For instance ratios of alcohol tolerance in the population, and more importantly the birth rate changes as a geo-political area moves from agrarian to industrial.

Not just in that the birth rate usually drops, but also the age at which women chose to give birth goes up. This would be expected to change a population by natural selection, favouring those women capable of giving birth to health children over the age of 35, over those who cannot.

Therefore it might be the case that the "fear of terror" if it persists over as little as two or three generations might have a lasting evolutionary effect on a population.

On another note we are already seeing some employers specificaly looking for certain personality traits/types. More recently we have seen companies activly seeking those in the Autistic Spectrum Disorder (asperbergers/dislexia/ADHD).

Why because they have certain desirable traits with regards amongst other things "savant" abilities.

It is known that in engineering and some sciences people with ASD do better than others but often fail hopelessly when they move into managment. Further that the children of engineers are more likely (by about 1/8) to have ASD than children of those in other proffesions.

As Bruce has noted being able to tell "hinky" is a definate advantage in security. Will our current changes in society cause us to evolve where detecting "hinky" becomes less rare?

brasscountOctober 29, 2009 10:32 AM

@miw

I see your concern regarding the loss of pure mathematics in cryptography to the softer sciences of sociological and psychological foundations for security. Unfortunately, I believe you have missed the primary point.

I challenge you to find the world's most obscenely difficult cryptographic structure. Take that structure, and use it to encrypt the world's most jealously guarded secret (the colonels 11 herbs and spices, perhaps.) Now, entrust the encrypted secret to one person, and the encryption key to another.

If I, an evil soft science security psychologist, can ascertain who these people are, I WILL be able to collect that secret, and break your encryption scheme. I will do this via applied psychology, e.g. rubber hose decryption or torture, social engineering, bribery, blackmail, extortion, or any of a thousand other means that I as an evil actor can place at my dsiposal with nary a thought toward the sophisticated mathematics protecting the delicious chicken recipe.

I assert to you that the soft side of cryptography is and always will be its greatest weakness. Now, I'm going to lunch...

ShaneOctober 29, 2009 1:51 PM

@Moderator

"If all blogs were run according to your preferences, then those who prefer a less noisy discussion would have nowhere to go."

Agreed.

Dominic VogelNovember 2, 2009 10:09 AM

Often the psychological aspects of security get little attention in the corporate world. The psychological underpinnings of security cannot be overlooked as they have direct consequences on how end users accept (and respond to) new security initiatives.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..