Essays: 2011 Archives

Empathy and Security

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2011

View or Download in PDF Format

Several independent streams of research seem to have converged on the role of empathy in security. Understanding how empathy works and fails—and how it can be harnessed—could be important as we develop security systems that protect people over computer networks.

Mirror neurons are part of a recently discovered brain system that activates both when an individual does something and when that individual observes someone else doing the same thing. They’re what allow us to “mirror” the behaviors of others, and they seem to play a major role in language acquisition, theory of mind, and empathy…

Detecting Cheaters

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2011

View or Download the PDF

Our brains are specially designed to deal with cheating in social exchanges. The evolutionary psychology explanation is that we evolved brain heuristics for the social problems that our prehistoric ancestors had to deal with. Once humans became good at cheating, they then had to become good at detecting cheating—otherwise, the social group would fall apart.

Perhaps the most vivid demonstration of this can be seen with variations on what’s known as the Wason selection task, named after the psychologist who first studied it. Back in the 1960s, it was a test of logical reasoning; today, it’s used more as a demonstration of evolutionary psychology. But before we get to the experiment, let’s get into the mathematical background…

Why Terror Alert Codes Never Made Sense

  • Bruce Schneier
  • CNN
  • January 28, 2011

The Department of Homeland Security is getting rid of the color-coded threat level system. It was introduced after 9/11, and was supposed to tell you how likely a terrorist attack might be. Except that it never did.

Attacks happened more often when the level was yellow (“significant risk”) than when it was orange (“high risk”). And the one time it was red (“severe risk”), nothing happened. It’s never been blue or green, the two least dangerous levels.

The system has been at yellow for the past four years, and before then the changes seemed more timed to political events than actual terrorist threats. Not that any of this matters. We all ignored the levels because they didn’t tell us anything useful…

Schneier-Ranum Face-Off on Whitelisting and Blacklisting

  • Bruce Schneier
  • Information Security
  • January 2011

This essay appeared as the second half of a point/counterpoint with Marcus Ranum.

The whitelist/blacklist debate is far older than computers, and it’s instructive to recall what works where. Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it’s easier—although it is generally much easier to make a list of people who should be allowed through your office door than a list of people who shouldn’t—but because it’s a security system that can be implemented automatically, without people…

Sidebar photo of Bruce Schneier by Joe MacInnis.