Security and Human Behavior (SHB 2017)

I'm in Cambridge University, at the tenth Workshop on Security and Human Behavior.

SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Ross Anderson, Alessandro Acquisti, and myself. The 50 or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, political scientists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.

The goal is maximum interaction and discussion. We do that by putting everyone on panels. There are eight six-person panels over the course of the two days. Everyone gets to talk for ten minutes about their work, and then there's half an hour of questions and discussion. We also have lunches, dinners, and receptions -- all designed so people from different disciplines talk to each other.

It's the most intellectually stimulating conference of my year, and influences my thinking about security in many different ways.

This year's schedule is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks.

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, and ninth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops.

I don't think any of us imagined that this conference would be around this long.

Posted on May 25, 2017 at 2:30 PM • 29 Comments


neillMay 25, 2017 2:48 PM

thank you, bruce, livebloggin is nice, can you propose at least a live audiofeed? esp. in Q&A session that would capture it all better!

SofakinbdMay 25, 2017 3:31 PM

Bruce wrote:
I don't think any of us imagined that this conference would be around this long.

And now more necessary than ever.


JarradMay 25, 2017 6:09 PM

I'm not surprised it has lasted this long. Humans are the weakest link. No matter how much technology we put into place, bad humans not following good process is still going to create security problems.

It's great to see that this kind of conference exists over just a technology forum for security. I get tired of vendors just trying to sell me products.

oliverMay 26, 2017 12:58 AM

Hi Bruce,
sorry to rain on your parade here, but please throw the psychs right outta there!
They have nothing usefull tzo contribute at all.
Just mindless psycho-babble.

Patriot COMSECMay 26, 2017 2:19 AM

It sounds fascinating.

The first link in the piece above is interesting because it identifies the speakers and shows some of their work. Perhaps I had bad luck, but I picked out and read three articles: Lydia Wilson's comments on ISIS are off the mark because they are typical of a shallow Western-centered view; Elizabeth Stobert's piece on Expert Password Management is not very interesting, and it could be summarized in one sentence, with a yawn; and worst of all is Yi Ting Chua's piece about "Gendering Cybercrime"--I am sorry to say it, but if you want a laugh, read the first paragraph. It is so bad that it is good.

I hope the discussions at the conference are not as vacuous as the three pieces I just read.

HGMMay 26, 2017 4:40 AM

I live in Cambridge. Are you giving any public talk while you're here? I'd love to hear you speak.

Alice HutchingsMay 26, 2017 5:01 AM

The chapter I co-wrote with Chua 'Gendering Cybercrime' explains how women face barriers when it comes to being taken seriously in such a male-dominated field. Patriot COMSEC demonstrates succintly that these barriers are not just faced within deviant communities, but also within the security industry more generally.

ab praeceptisMay 26, 2017 5:29 AM

Alice Hutchings

I assume that is partly to do with the women themselves, particularly those endlessly unnerving others with gender problems.

Speaking for myself I can say that I don't care a rats a** about male or female; I'm interested exclusively in competence and brains and there were situations in my professional life where I made this understood quite bluntly to male colleagues.
That said, as soon as anyone starts blabbering about "gender problems" I'm completely in aggressive "f*ck off!" mode within a split second.

I guess that's the result of too much and too long abused patience and good will from my side and too many women blabbering too much about gender problems and delivering too little on the technical side.

You might consider this a "male dominated system" but from what I saw the most promising way for women is the same as that for men: Deliver good work. Simple as that.

"Gendering Cybercrime"? A joke I assume.

JeuneseMay 26, 2017 6:07 AM

Very common arguments are being made here -- that women are self-selecting, the emphasis being on internal differences. However, there is no reason why this should be so. Before high school, girls usually outperform boys in all subjects, including maths and science (Halpern et al., 2007), and tend to engage less in these subjects over time, not because they are incapable, but because they believe that they have to hold themselves to an even higher standard in male-dominated subjects (Hill et al., 2010). They are thus subject to 'stereotype threat', which you can easily find evidence of. (Perhaps you would prefer me to call this "psychobabble"?)

It has a cultural underpinning. For example, the magnitude of sex differences in maths performance negatively correlates with gender inequality in a given country. It's not that women *can't* deliver technically. There are more similarities than differences in the cognitive abilities of men and women (Hyde, 2005). There is a self-fulfilling prophecy at work here.

What is dismissed within quotation marks as "gender problems" is actually a real thing, evidenced in your impulsive "f*** off" reaction to it even being suggested.

And when women do make it to the highly regarded (and not coincidentally male-dominated) technical fields instead of the female-dominated "psychobabble" fields of study, they can expect to be paid less, funded less, make sacrifices for family, and accept sexism as a norm (disclaimer: *disproportionately to their male colleagues*).

ab praeceptisMay 26, 2017 6:42 AM


Playing that game with me is futile. I assume that there are indeed differences between the average man and the average woman - but that does not at all mean that there are no women who are as fit as men in "male" fields.

You see, I was in fact quite engaged myself regarding *really* disadvantaged women. I did quite a lot to help them and, more importantly, to make sex a non criterion re. tech jobs. And I do not at all regret what I did then. Knowing that I helped some qualified women to be properly treated, respected (and earning!), and having a fair chance to climb up still satisfies me.

What makes me very quickly say "f*ck off!" today is that whole gender thing, all that activism, womens quota and the like. Seeing uni decans who got their position for only one reason, namely that they are women (and otherwise *obviously* incompetent stupid political XXXXXXX) makes me aggressive because it means that we simply replaced one sex for another but still have sex as a major criterion.

I still wouldn't care if I had a man and woman apply for a tech job. I'd simply look at their competence, knowledge, and abilities. I would, however, instantly say bye to any woman trying any gender games (asking certain questions, etc).

Jeunese PayneMay 26, 2017 6:51 AM

I genuinely have no idea what "game" you are accusing me of or what "certain questions" women might ask to get a particular position. I also at no point advocated women getting a job just because they are a woman. I pointed out the evidence for the existence of "gender problems" and its cultural underpinnings, and objected to the term "psychobabble" mentioned earlier in the comments.

Bruce SchneierMay 26, 2017 8:11 AM

"sorry to rain on your parade here, but please throw the psychs right outta there!"

Don't be ridiculous. The whole point of starting this workshop was to have psychologists and computer-security researchers talk to and work with each other. It's been a fascinating conversation and has resulted in some excellent research, and we're all pleased that it continues.

Bruce SchneierMay 26, 2017 8:13 AM

"I live in Cambridge. Are you giving any public talk while you're here?"

Apologies, but no.

vas pupMay 26, 2017 8:58 AM

Some additional recent input on psychology and risk taking:

Call GirlMay 26, 2017 10:02 AM

Computer security needs to be logically sound and impartial to human feelings.

The psychological analysis of motives for breaking into others' computer systems belongs to the realm of law enforcement and is relevant after the fact of the break-in.

I am sad to see that this blog has strayed so far from the bits and bytes of actual computer security.

Bruce SchneierMay 26, 2017 10:25 AM

@ab praeceptis, please end the hostility and offensive language.

SeanMay 26, 2017 10:59 AM

Fun to read, as I am personally a social psychologist, interested by cybersecurity, its technical and, of course, psychological aspects. If I'm following this blog, besides Bruce's very valuable articles, it's also to read all different comments.

Of course, as so, I am not skilled, or not enough, in technical aspects to figure everything out, but yes, I couldn't disagree with the absolute complementarity of both domains in the security field comprehension. The combination is absolutely fascinating.

That is to say, this article fits perfectly my point of view!

ArclightMay 26, 2017 12:05 PM

The hackerspace community is an interesting place to see this sort of thing. The people who come to our space are definitely interdisciplinary, and there is a general interest in privacy, InfoSec and physical security. One of our members got a PhD in sociology while attending, and we have a lot of cool projects come through.

I don't know if our space is an outlier, but we have a pretty vibrant human/machine meet-point.

Clive RobinsonMay 26, 2017 12:43 PM

@ Alice Hutchings,

It's nice of you to drop in here during what must be a hectic time at the moment.

The issues of gender imbalance in technology are as old as technology it's self but sadly appear to have defied all attempts to redress it much so far.

I've been actively involved in a number of initiatives from the late 1970's through to recent times in both the electronics and software industries, to improve the prospects for women. The one thing I can say is that women most certainly do not lack the academic or more practical skill sets, in fact they are often superior in the pre and graduate stages.

You are probably aware of Freeman Dyson's "Bird or Frog" view of the way people think are categorized. For some reason when it comes to working in the software industry frog thinkers tend to be over represented when people talk of "Star programmers", however when it comes to management above the team leader level bird thinkers start to predominate. Which is one reason given as to why few star programmers ever move up.

There is however a problematical social expectation that women should be "multitasking" though as you probably know many of the studies into multi / mono tasking/thinking do not show a general advantage to either mode.

Thus there is a societal in built pre disposition that the software industry needs monotasking deeply focused frog thinkers, not multitasking broadly focused bird thinkers, therefore the software industry is often perceived as,"No job for a women".

This is actually far from true. Frog thinking tends not to scale for a couple of reasons, firstly whilst it has depth it lacks breadth and secondly it tends to preclude the ability of effective communication which is vital for projects beyond a small scale. When you look at extrodinaraly large projects in the software industry many tend to fail expensively. The reason usually given is "lack of communication / cooperation" between the disparate parts of the project. That is the projects are not effectively Project Managed.

The easy conclusion is "frogs do not become princes" no matter how hard you promote them, where as "birds take to the sky and fly high". But it does not resolve the actual issues.

As is now being found at non Nation State level ICT projects, monolithic code constructs do not scale beyond a certain point even with multiple load balanced instances. Thus the drive towards microservices via Docker and Kubernetes. But in startups and smaller organisations the switch from monolithic to microservices is usually a disaster. There are two problem areas the technical and the human. Usually it's the technical that gets blamed when in fact it's the human side that fails, usually because of non multitasking and the lack of communication that arises.

I'm known for my preference for Hard Science post grads not CompSci for various reasons. Partly it's because hard science post grads tend to be scientists/engineer oriented not artisan/copyist, but importantly they generally know, not just how to communicate, but also integrate disparate parts as a norm not an exception. Further and importantly from a number of peoples points of view women tend to be better represented in hard science.

But further when you look at people in CompSci at the starting positions in the software industry if they are frog thinkers they fit in, if bird they tend not. Thus you have the problem that there is a high attrition rate at the normal entry rung on the career ladder. But it gets worse, as frog thinkers go up the ladder they bring other frog thinkers in behind them not bird thinkers. Which because men predominate in the frog thinking at the entry rung tends to mean that frog thinking women pull in frog thinking men behind them due to the paucity of frog thinking women... Which means that the paucity of bird thinkers above the team leader management, who also have entry level experience is very very low anyway and vanishingly small when it comes to women.

Thus in my long but somewhat limited experience you need a different way for bird thinkers to get the entry level experience but enter in above the team leader management level. Then find a way to get bird thinkers not to leave at the entry level rung as they can then see a clear career progression opportunity.

The problem is that currently the software industry is set up around the idea of monolithic systems, even when compartmented the view is single instance orientated, not distributed component orientated. It both favours frog thinkers and worse locks the industry into an evolutionary cul de sac where the dead end is the laws of physics for a single processing instance.

As can be seen with CPU's that are now multi-core the next evolutionary stage is parallel processing, which can only move forward via distributed systems. Whilst the design of single instances favours frog thinkers, multiple instances require a different thought process that favours bird thinkers who can multitask and communicate effectively. Thus as we move forward in the ICT industry, science / engineering not artisanal / copying will be the way forward which should favour bird thinkers more and more. Which as the frog thinkers in general will not be able to step up easily will actually create favourable opportunities not just to bird thinkers but women who tend to be better at the skill sets required at a younger age. If there is a sufficient skill shortage gender discrimination should diminish if not disappear due to supply and demand, and as older more staid / stale view points retire or fail to rise. But I must say that with over a third of a century industry experience so far the rate of change appears to have been less than the growth rate of the industry...

There is also the issues of the two world wars to consider. Both showed that outside of certain strenuous manual tasks women were just as capable as men and in some skills rather more so. However after each war women either left or were forced out of the work place, for what were mainly sociological reasons. It was not until the late 60's through to the 80's that "working wives" became more acceptable. Further in the US in the mid 90's for a decade or so, in some ethnic groups women on average had higher pay rates than men, but caution is needed as the same ethnic group showed a much much wider educational achievement between the women and men, with the men entering low skill or working class employment, whilst the women tended to enter middle class better paid administrative and lower / middle management roles.

However there is now another way by which gender neutrality may occur, which is distance working. It's not just the "nobody knows who you are, just what you do" aspect, it's the ability to more easily encompass a much wider range of life styles. Importantly it actively favours those with good communications skills amongst many often disparate entities which favours the bird thinkers over the frog thinkers. However when we look at major FOSS projects we still see a male predominance. However we also see a higher predominance of monolithic projects which still favour frog thinkers, so this may well change as the need for parallel / distributed systems rises.

Finally, whilst there is sexism in the software industry, it's also in many other work domains as well. It further tends to be more prominent in more polarised environments. In effect as a clique forms societal norms change, normally toward a common denominator and in short order a clique develops a "them and us" world view. Once developed separating the members of a clique does not immediately normalise the societal norms and if members meet again they will for some time revert to some extent back to the them and us viewpoint. Which makes undesirable traits linger.

KindnessMay 26, 2017 3:15 PM

A plea for all to be slow to anger and not rush to judgment about being certain and confident we understand the other person's comments.

Stephen Covey had one of his habits of highly effective People as; "Seek first to understand before seeking to be understood."

Please don't assume other people know the assumptions and the specific path of reasoning that led to your comments and conclusions.

Conclusions with missing assumptions, premises and rationale to give essential context can come off as insensitive to others.

"Think win win" for me would be think how I could be more accommodating, seek clarification first, before making bold accusations.

"Correct me if I'm wrong, this is my understanding of what you just said; ......."

StefanieMay 27, 2017 1:41 PM

Hello Bruce,

thank you for sharing the liveblogging.

Personally, I think too like others here, that it is essential to educate people much more and get them aware of security measurements to be taken while there are in the Internet.

I see it quite often on my blog that there is not an existing awareness of security at all. Loads of people think it is save cos they got some software running in the background but leaving their passwords empty or choosing one which is easily to guess. In my opinion there should be something like a basic course at school teaching the very basics of links and using them for the good and the bad.

Well, I hope more people get aware of security and broaden their minds soon.


WinterMay 27, 2017 1:42 PM

The obvious poster child of women in CS is Malaysia.

Due to some historical accidents, women dominate ICT and CS in Malaysia. Probably the only lesson we can learn from these examples is that the cultural perception of a field will determine who will enter it.

Martin SpamerMay 28, 2017 5:50 AM

It appears to me that we have security theatre(1) playing out in the UK with the Manchester Bombing (2).

We have a highly charged general General Election taking place. Theresa May the British Prime Minister is seeking re-election. Her Campaign slogan of 'Strong and Stable' is unconvincing to many and she is faltering in the polls. (3)

In response to the bombing she puts Troops on the street of Britain, an event that is unprecedented in modern times. She does this in a highly visible way that is reported right across the media spectrum. (4)

In the following days all 11 suspects currently under arrest have been apprehended through regular policing. (5)

Putting troops on the street appears to be Security Theatre on a grand scale. This is designed to give the appearance of action, to give the appearance re-enforcing the campaign slogan of 'strong and stable' while doing little or nothing to deliver any real security. It appears to me to hold the key elements of security theatre.


vas pupMay 30, 2017 9:24 AM

“We need a public self to navigate the social world of family, friends, peers and co-workers,” says John Suler, professor of psychology at Rider University in New Jersey, and author of The Psychology of Cyberspace.
!!!“But we also need a private self – an internal space where we can reflect on our own thoughts and feelings apart from outside influence, where we can just be with our own psyche. Our identity is formed by both. Without one or the other, our wellbeing can easily become disrupted.”

!!!Being anonymous allows us to try new things or express ideas without being judged. In 2013, researchers at Carnegie Mellon University in Pennsylvania published a study in which they conducted in-depth interviews with dozens of internet users on four continents. One interviewee, for instance, created an anonymous online community for English learners to practise their language skills. Anonymity helped them better manage certain spheres of their lives. One participant said that he frequented message boards to help people solve technical problems, but sought to avoid unwanted commitments{!] through the detached nature of the internet. Plus, being anonymous in an environment like the internet can help safeguard personal safety.

“Our results show that people from all walks of life had reason, at one time or another, to seek anonymity,” the researchers wrote of the 44 interviewees.

But according to a 2013 study from the Pew Research Center, while most internet users would like to remain anonymous, most don’t think it’s entirely possible. The study found that 59% of American internet users believe it is impossible to completely hide your identity online."

birdbrainMay 31, 2017 1:18 AM

@Clive Robinson re: birds and frogs ...

There's some writing out there called "The Programmer's Stone", and while a lot of it seemed overly mystical-cranky to me, one part rang true to my experience: It assigns thinkers to a spectrum between two extremes, the "Mapper" (who generalizes and abstracts, and constantly refactors their "mental map" to improve consistency, tease out new connections and exchange these dense abstractions with other mappers more efficiently) and the "Packer" (who collects vast quantities of facts and stores them all, but doesn't attempt to generalize much or ever discard the collected facts).

Most people are some mix of the two extremes, but "mapper" and "packer" problem-solving strategies can be quite different: mappers take example facts and try to abstract or combine them, or relate them to one of their general concepts, and possibly refactoring their mental map in the process. While packers try to find a similar fact pattern in their collection of details thats similar, and reason by example.

Anyway, all of the skilled programmers I have met are strongly mapper-oriented thinkers, which is not surprising because programming more or less _is_ mapping: the forming of useful abstractions, collapsing of details and special cases into general algorithms, the discovery and representation of the relationships between concepts. Its not surprising that so many people who are drawn to programming would be mapper thinkers.

Knowing about this difference in thinking is also really helpful for mappers trying to communicate with non-mapper co-workers. They don't process information the same way, or draw inferences the same way, and being aware of this can help avoid communication mishaps.

Petre PeterNovember 7, 2017 10:22 AM

"We are clearly giving new meaning to words". A memorial honorably stores a person's name. JFK street in Cambridge is an example of trying to honor a person's name by abbreviating it. i strongly believe that Cambridge can afford street signs long enough to fit the entire John Fitzgerald Kennedy name.
Remember! Some of us might not want to me remembered by the acronym of our names.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.