Review of Beyond Fear

Merengue
January 2004

"That's just it, Peter. We have to appear to know what's happening, and what it means. Even if we don't really know very much about either."

Unnamed police informant to the reviewer. Source report graded B 2 (NATO system).

Bruce Schneier's eminently well-informed and sensible text should be essential reading for any police official charged with making a "risk assessment," or in any other way taking part in the risk management industry which as a result of 9/11 is likely to engulf -- if you will forgive the pun -- us all.

Mr Schneier is a real expert on security systems and their consequences, and therefore does not pretend to know everything. Nor is he prepared to accept responsibility for decisions that others need to make, on the basis of that combination of necessarily incomplete knowledge and arguable value-judgement that any real security decision involves. His book is the best kind of knowledge, for it enables us to decide things for ourselves, more effectively than if we had not read it beforehand. It contains what in one sense we knew, but did not dare say: and there is a wealth of detail to back it up.

He confirms our suspicion that security can never be perfect; that the attacker will usually have the advantage, until the defender catches up; and that security assessment is a matter of assessing both risk and threat, and deciding what one is prepared to invest in counter-measures accordingly. He puts forward a five-stage model for security management, and works through it to analyse hundreds of real examples, including the latest security threat to the United States and its repercussions. (On balance, he is in favour of sky marshalls, but recognises valid objections to them.)

His model is as follows:

  1. What are you trying to protect?
  2. What are the risks to those assets?
  3. How well does the security solution mitigate those risks?
  4. What other risks does the security solution cause?
  5. What costs and trade-offs does the security solution impose?

Schneier quotes four main influences upon the effectiveness of security measures, as follows:

  • Law
  • Market Forces
  • Social norms
  • Technology

And shows how all four mechanisms can affect a complex security system.

Although I can summarise parts of the book, I cannot reproduce it, and nor should I attempt to try. There are areas of supposed scholarship (such as some leadership studies, for example) where the summary may be all (or more) that one needs to read. "Beyond Fear," by contrast, contains useful challenges on every page, and is as readable as a good suspense story -- as, in a sense, it is.

Peter Villiers
Head of Human Rights
National Police Leadership Centre
Bramshill, England
January 2004

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..