Security and Human Behavior (SHB 2018)

I'm at Carnegie Mellon University, at the eleventh Workshop on Security and Human Behavior.

SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The 50 or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.

The goal is to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to 7-10 minutes. The rest of the time is left to open discussion. Four hour-and-a-half panels per day over two days equals eight panels; six people per panel means that 48 people get to speak. We also have lunches, dinners, and receptions -- all designed so people from different disciplines talk to each other.

I invariably find this to be the most intellectually stimulating conference of my year. It influences my thinking in many different, and sometimes surprising, ways.

This year's program is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks. (Ross also maintains a good webpage of psychology and security resources.)

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, and tenth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops.

Next year, I'll be hosting the event at Harvard.

Posted on May 25, 2018 at 1:57 PM • 30 Comments

Comments

Bruce SchneierMay 25, 2018 3:30 PM

"the list of participants list political scientists twice"

Fixed. Thank you.

echoMay 25, 2018 5:26 PM

Oh, I wish I could go to a thing like this.

The Lancaster behaviour is very interesting. I had some comments but it sounded like total drivel in comparison. I decided to keep my mouth shut and give the imrpession I am less dim than I am.

FlonynomymousMay 25, 2018 5:33 PM

I'm curious, what actionable work has come out of past events? E.g. as a direct result of this conference has anything been done/improved/etc?

echoMay 25, 2018 6:07 PM

Oops. Sorry for the stupid edit. I meant Lancaster University paper. Some of the rest looks very interesting but oh my what a wad of stuff to read.

RockLobsterMay 26, 2018 12:58 AM

I wish I was there, I would have a lot to discuss with Henry Willis.

Do you think someone should have discussed the state of surveillance capitalism?
It seems to get worse by the day. It now seems tracking people across the internet isn't enough, so now they are using smart phone real time location tracking to monitor everyones real world activities.

BTW, great title for your new book, I'm looking forward to reading it.

K15May 26, 2018 10:38 PM

Most advice to humans on avoiding a harm is offered with the assumption that it can be followed without risking some other harm.

PatriotMay 27, 2018 6:12 AM

I think the presentations that Mr. Schneier does at these workshops are the most well-considered and insightful comments about security that one could hope to find anywhere. They are extremely valuable.

He is absolutely right to keep talking about elements of psychology such as cognitive bias, etc., as those touch upon security. And, in my opinion, he has hit the nail on the head in one very important matter that few get right: the security mindset.

After I saw his video at https://www.youtube.com/watch?v=eZNzMKS7zjo I have one thing to say: despite not having been a hacker or operator of some sort, he really knows what he is talking about here.

It goes like this: having the viewpoint, zeal, and will of the attacker is extremely valuable for defense. This is good stuff: informative, crystal clear, all with a direct bearing on the salient issues we face in cryptography and more widely in the whole of computer security.

RocklobsterMay 27, 2018 12:23 PM

Excellent video.
@Bruce I'm going to post the link to that on Wilders, your perspective on that absolutely on the money.
I dont think enough people consider, if you want to beat the criminal you have got to be able think like a criminal.
I do that all the time not just in tech security but generally when I examine political issues, stories in the media etc, I connect the dots and see right through the lies because I can think like they do. So it is clear to me that is exactly what I would say or do if I was trying to implement this or that hidden agenda and usually I am proven accurate long after the fact, but at the time, I am a crank conspiracy theorist.

I knew the surveillance had began in earnest on or around the turn of the millenium.
Cams built into every mobile device was one of the first indicators.
Then something it seems no one else noticed.
MSN Messenger.
I had three hotmail accounts.
One my real name, real info for family, friends, business.
The other two, psudonyms and fake info used for random web stuff.

So again, around the turn of the millenium, a MSM messenger update.
It had a new feature, a button that revealed all email accounts associated with each user on the contact list.
I said damn, so I did that and sure enough, other email addresses showed up for my contacts.
Some were real name email adddresses for people I only knew as an internet psudonym.
So I added myself to my own contact list and what do you know, all three of my hotmail addresses popped up. Linking my real world ID my internet psudonyms.
I said omg.
How could that happen? They are unconnected separate accounts.
First I thought they must be connecting logins from the same ip address.
Then I said, no that cant be it, different peope use the same computer all the time.
Then I realized, they have to know the name of the Windows account being used when logging in to Hotmail and thereby linking all the email accounts that user logs in to.
But surely, that is user identifiable ibformation, which at the time Microsoft claimed they never collected.
So anyway, a few days later another MSN messenger update.
I installed it and guess what.
That feature was removed.
I asked my friends, they all said they hadnt updated MSN in months so they never saw the email linking feature.
I posted on forums, no responses except a few insinuations here and there that I was paranoid etc.
To this very day I never met anyone who was aware of that.
I knew it was another indication that surveillance was being implemented and internet users were being ID'd but you think anyone would listen ?

RockLobsterMay 27, 2018 1:00 PM

I'll tell you a funny story about that. One time when I was trying to think up a username and so many I tried were already taken, there was a British rock band I was into called The Cult.
So the TV was on MTV and one of their songs, fire woman was playing.
Well, the bands original name was Southern Death Cult.
So I typed that into the new username box and what do you know, the green checkmark appears, username is available!
No one else was using SouthernDeathCult at hotmail or yahoo.
So I thought yeah that sounds cool and it's named after my favorite rock band so I took it and used that email as my username on lots of sites including one of my coding forums where we coded autotraders for forex (never made any money but still, the coding in C was fun and educational) where I shortened the name to SDC.
So one day someone on the forum asks me what does the initials SDC mean.
So just fooling around I said it means SouthernDeathCult, we are trading forex to raise money for weapons and a new compound where we will base our plans for global domination...
Bare in mind that was back in the day when no one could imagine the extent to which we were all being monitored so joking around like that was no big deal, or so I thought.
So some time after that the British prime minister Tony Blair is making a speech about threats etc and he says we have death cults forming on the internet!!
I nearly fell out, I said damn !! No wonder I'm under surveillance!!

Wesley ParishMay 28, 2018 4:49 AM

@Bruce, if there is anything I'd like to see on this SHB discussed on your blog, it is the neuroscience-psychology-anthropology angle.

In their book "Man the Hunted: Primates, Predators, and Human Evolution", Donna Hart and Robert W Sussman raise the point that prey don't spend all their time obsessing about being prey. It's just in the background. (It's been a while since I've read the book and I don't have a copy of it, but that is the general gist of that point.)

It's a point that could be raised in general discussion, perhaps? (Along with its cognate, contributed by no less than that renowned Anglo-Irish scholar and heavy drinker, C S Lewis, that Man[kind] is the First ie Original Domesticated Animal, and like all domesticated animals, we tend to be very trusting ... :) according to some hints on domesticating Russian/Siberian foxes published in last decade's New Scientist, domestication cannot proceed without that aspect coming to the fore.)

Clive RobinsonMay 28, 2018 7:41 AM

@ Wesley Parish,

Donna Hart and Robert W Sussman raise the point that prey don't spend all their time obsessing about being prey.

One of the reasons behind this is food...

Most prey are further down the food chain such as herbivorous, which can spend 80% of their awake time involved with finding sufficient food.

Whilst most of the carnivours creatures doing the preying actually spend between 66% and 80% of their time asleep or resting when prey are plentiful.

The one that is the real shocker is the omnivores that are also apex preditors, such as humans. They spend around 66% of their time awake with as little as 5% of that time engaged in finding the staples of life.

The prime example was the discovery of the Kalhari bushmen, who spent as little as 10minutes a day sorting out food, then spent the rest of the day sitting under trees and similar in small mainly peaceful activities of a creative kind.

This so shocked the "establishment" that their discovery was in effect falsely reported for well over fifty years.

In the establishment the church and landed rent seakers had pushed the idea of the Protestant Work Ethic for quite some time to their vast enrichment. That the news about the bushman was considered what we would describe these days as "An existential national security threat". Thus for the next fifty odd years what is now called "science" was the province of what we would consider "the idle rich" looking for distractions to the humdrum of their lives (which by the way lasted in parts of the world untill well after WWII, have a look at Kenya, the Mau Mau uprising and the documentation that lead upto the creation of "White Heat").

The type of prey that most worries about being preyed on is infact the omnivorous apex preditors. Where being preyed apon is not as food but as being removed as a resource user by other omnivorous apex preditors. That is "tribal warfare" through national conflict with other nations, civil war and more recently terrorism.

Mostly these fears are not evidenced based, worse they are "stoked and stroked" by those with political or ideological control in mind, using the "Fear Uncertainty and Doubt" (FUD) techniques honed to near perfection in the late 19th and 20th Century through to today which gets lumped under "propaganda".

Thus the more time on your hands the more likely you are to worry. Which in self appointed leaders results most often in the FUD such as the "Protestant Work Ethic" to keep the rest of the population too busy to consider getting rid of the self appointed.

It carries on today with something like 60% of jobs being "makework" in some way. With most "safe jobs" being in the likes of pointless administration activities. It also accounts for why non makework activities where there is even a small chance of those involved getting organised and holding the self appointed out for what they realy are, getting extreanly victimized. To see this look at Thatcherism in the 80's and what went on during the first part of the 20th century with "guard labour" both public and private being given free reign to "break skulls" etc.

The various struggles of the "Labour Movements" are a direct reflection of the fears of the self appointed, it's also in more modern times rent seaking behaviour is being forced on society, where all but "the chosen" are not just "rights stripped" but "asset stripped" as well, forcing the majority into a worse position than if they were slaves...

Once you get through the FUD smokescrean the self appointed lay down to cover up what they are upto the easier it becomes to spot what the game is.

Have a look at the thinking of the neo-cons that pretend to be Republicans in the US and worse in other nations. And the actions of the 1% of the 1% who feel so confident they feal no need to be discreet anylonger like the Koch Brothers.

Oh and the much talked about "trickledown effect" the only evidence of which is the products of the MIC being pushed further and further down the public and private "guard labour" hierarchy, where single lowly none to bright and clearly prejudiced individuals have easy access to weapons of war and surveillance that were compleatly unavailable to even special forces just a decade or so ago... Then look at how they are protected by the legislature that get funded via the self appointed.

echoMay 28, 2018 8:13 AM

Yes to all the above including the allegation the police exist to protect the establishment. I have discovered the occasional whiff of defering to and acting at the convenience of other feudal organisations, and turning blind eyes. There are some welcome but also odd policy initiatives by governent who now perceive women being economically active and influential. This all seems to be a matter of navigating the balance of vested interest.

I believe the Thatcher revolution is worth revisiting and examining for exactly who is responsible. Janet Daley (now paywalled behind the Barclay brothers 'Telegraph') wrote an opinion column on this where she did point out the bandits had taken advantage of dereulation and pocketed the money instead of investing in growth as Thatcher had hoped for. I understand the latest international benchmarks reveal UK senior management is now weak and performs badly compared to other nations. Having hollowed out organisations I daresay this is a factor and perhaps why a man like BTs current CEO managed to get to where he did.

I bought tools to adjust a new ladies watch strap. Unfortunately I disovered after a fiddle I need a bench magnifying glass and a vice. I buckled and phoned for a quote and am taking the watch in to get a man repair it. So much for the revolution.

RockLobsterMay 28, 2018 10:55 AM

@echo
"I believe the Thatcher revolution is worth revisiting and examining for exactly who is responsible"

Start with Milton Friedman.

(required)May 28, 2018 12:04 PM

@echo "where she did point out the bandits had taken advantage of dereulation and pocketed the money instead of investing in growth"

This should surprise no one in 2018. This is their deliberate cycle of operations.
John Birch Society et al, treasonous bastards since 1899

echoMay 28, 2018 2:33 PM

@RockLobster, @(required)

The same Milton Friedman who disowned the better half of his theory in favour of the half he said didn't work because it would be easier to sell to the economists? Oh, thanks Milton. Good show. What kind of logic is this?

There is also the Freedom Association, and excesses of the Mayfair set who did to the rich what the rich were doing to the rest of us before losing the lot. What a bunch of shifty scallywags.

Clive RobinsonMay 28, 2018 3:54 PM

@ echo,

The same Milton Friedman who disowned the better half of his theory in favour of the half he said didn't work because it would be easier to sell to the economists?

Actually he was not interested in selling it to "economists" as they were mearly the piper. He wanted to sell it to those who payed the pipers, so his tune would be played loud and clear.

At best "economics" is not a science, not even a realy soft and mushy soft science. At worst economists publish "trash" to please those that directly or indirectly fund them whilst their peers "log roll" their reviews and other works for their turn at the money pump.

After all those cushy offices and common rooms in Universities they inhabit, do not come cheap. Thus many economists teach and theorize what brings in the most money...

By and large most people would not flick a plastic nickle in the direction of economists. Thus those that do push large quantities of cash towards them not only have an agenda, they are also the same set of individuals "treating the legislators"... Which kind of tells you what they are upto. Oh and just to spread the largess a little further to cover other bases they also fund "think tanks"...

So an economist says X, which other economists nod along with. A think tank then endorses X and further amplifies it. Thus a legislator can pretend there is legitimacy to X thus has a cover for enacting X and receiving "support" from the paymaster "treating" them in some way.

This sort of three and more way behaviour if carried out by a business on prospective investors would earn the seniors a significant feeling of not just their collers but their wallets and other assets as well by the authorities. At the least they would expect a series of large fines for what would be regarded as corporate fraud or corruption.

But you put a politician and a campaign fund in there then all of a sudden it's all legitimate...

Yes I know it makes me sound very cinical, but you would be as cinical if you dug a little in that murky "field of endevor".

Alyer Babtu May 28, 2018 4:58 PM

@ many above, re economics

Further to @Clive Robinson

"economics" is not a science, not even a realy soft and mushy soft science

Mathematician Donald Saari analyzed a common formalization of economic dynamics and showed even an “economy” with three goods is a chaotic dynamical system. Start basically anywhere and go basically anywhere. Thus there is no support for Adam Smith’s “hand of the market” or any other nostrums of economists.

https://www.math.uchicago.edu/~shmuel/AAT-readings/Econ%20segment/invisible%20hand.pdf

echoMay 29, 2018 2:12 AM

@Clive

I heard what you are saying. Most people thankfully arenot like this but this is also what they take advantage of. They are no better than ordinary people which a column on one PhDs experience at Harvard discussed the other day. I find it very difficult to have a subtle discussion about this. How many graphic experiences do people want before the penny drops?

John SmithMay 29, 2018 9:47 AM

It would be great if normal humans like me could occasionally be involved in something like that.

echoMay 29, 2018 2:07 PM

@Alyer Babtu

Yes, you could say this. That said Adam Smiths theories do say the market depends on customers having information. I notice this is often forgotten and perhaps why Adam Smith is not used so much by right wing politicians today as once the truth began to be realised by the commentariat his theories became inconvenient.

I personally find UK politics very annoyingly polarised. I'm not religiously opposed to privatisation of substantial chunks of the state sector. The reason is I believe the facade of the state sector is just a container hiding a lot of bullying and graft (not to mention on the surface thorough but extremely carefully calculated evasive investigations which hide more than they reveal). The privatesector is significantly better with regard to discirmination. This doesn't mean the private sector doesn't have faults, of course. Another annoyance is law is often framed in a binary way where state and private are given different regimes which only highten confusion and lack of comparative standards. Similar is also true with historical discrimination laws which createas many problems for men as they do women. You can also see the blanket approach in the RPIA law where wifi survellience was only stopped because it would cause too many problems for citizens and bad marketing for politicians not because anyone thought through the privacy and security issues. Legal drift is another issue often missed with society tugging one way and policy on the quiet tugging another and nobody on either side spotting this until after the event when it is usually too late.

I haven't read the paper but at a guess Donald Saari completely ignored the laws of thermodynamics. Design imposes constraints.

Alyer Babtu May 29, 2018 5:56 PM

@echo

I understood Saari to be mainly concerned to show that the standard models of economic markets, though plausible at first, don’t have the properties seen in real markets, in fact have extremely different and unexpected properties. The lack of constraints is built in by the standard models.

For an attempt at a realistic treatment, and one probably influenced by thermodynamics :), the authors being physicists, you might enjoy

http://www.cambridge.org/us/academic/subjects/physics/econophysics-and-financial-physics/dynamics-markets-new-financial-economics-2nd-edition?format=HB#IqGB8SIK2A06E5Wz.97

echoMay 29, 2018 7:05 PM

@Alyer Babtu

Thanks for your clarifications. I forgot to say Adam Smith promoted regulated markets. I don't have to lecture others more qualified to coment these are rigged and backdoored to shreds. I can't promise but I may skim your suggestion tomorrow when my brain is less foggy.

vas pupMay 30, 2018 10:41 AM

http://www.bbc.com/future/story/20180530-the-controversial-debut-of-genes-in-criminal-cases

“But then his defence team decided to ask for a scientific assessment. It turned out that Waldroup had an unusual variant of the monoamine oxidase A (MAOA) gene – dubbed the “warrior gene” by some in the media because of its association with antisocial behavior including impulsive aggression. A forensic scientist testified that Waldroup’s genetic makeup, combined with the abuse he had experienced as a child, left him at greater risk of violent behavior."

Looks like related to psychology of security for assessment of violent behavior by genetic scan of prospective security team members, not only for criminals.

Wesley ParishMay 31, 2018 3:39 AM

@Clive Robinson

Most prey are further down the food chain such as herbivorous, which can spend 80% of their awake time involved with finding sufficient food.
And the reason for that is that a lot of the foodstuff niches exploited for example by most of the antelope species (including domestic cattle) and the horse species, are low-quality, ie, the cattle must eat a lot of grass to get sufficient calories.

Fructivores such as most of the primate species, get a larger amount of calories from a smaller amount of food. The carnivores get all from a relatively small amount of herbivore flesh - and occasionally, from carnivore flesh - hyenas for example, invite the King of Beasts to lunch, as the main course of course, on the odd occasion. Lions usually find the invitation irresistible - though they do of course try. Hans Kruuk, Hyena, Oxford U Press, 1975, pg 48. (I recommend reading both that and his larger book, The Spotted Hyena. Along with George Schaller, Jane Goodall, and the like.)

Clive RobinsonMay 31, 2018 8:01 AM

@ John Smith,

It would be great if normal humans like me could occasionally be involved in something like that.

What makes you think the attendees are not "normal humans like" you ;-)

echoMay 31, 2018 8:10 AM

@Wesley Parish

I for one I'm glad I'm not at the bottom of the food chain. Have you ever stopped to consider the brutal murder happening in the herb garden? It's really scary in there. I wonder what a bio-social take would have on security. Has anyone discovred academic papers in this field which have a direct bearing on the topic?

vas pupJune 5, 2018 12:20 PM

@all: I guess that important for subject matter:
Are you scared yet? Meet Norman, the psychopathic AI:
http://www.bbc.com/news/technology-44040008
The psychopathic algorithm was created by a team at the Massachusetts Institute of Technology, as part of an experiment to see what training AI on data from "the dark corners of the net" would do to its world view. "Data matters more than the algorithm. "It highlights the idea that the data we use to train AI is reflected in the way the AI perceives the world and how it behaves."
Dr Joanna Bryson, from the University of Bath's department of computer science said that the issue of sexist AI could be down to the fact that a lot of machines are programmed by "white, single guys from California" and can be addressed, at least partially, by diversifying the workforce.She told the BBC it should come as no surprise that machines are picking up the opinions of the people who are training them."When we train machines by choosing our culture, we necessarily transfer our own biases," she said.
"There is no mathematical way to create fairness. Bias is not a bad word in machine learning. It just means that the machine is picking up regularities. "What she worries about is the idea that some programmers would deliberately choose to hard-bake badness or bias into machines. To stop this, the process of creating AI needs more oversight and greater transparency, she thinks.

Wesley ParishJune 6, 2018 6:36 AM

@echo

Good point. The human security "condition" is after all a specialized version of primate social hierarchy on one hand, and on predator-prey relations on the other. Humans have a long and ugly history of cannibalizing one another for spare ribs - err parts ...

I think I'll pester some of the local university zoologists. I like doing that, and it is part of their job. If they come up with some interesting and useful books and articles I'll mention them on this forum.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.