We Are All Security Consumers

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2003

Computer security is vital, and IEEE is launching this new magazine devoted to the topic. But there's more to security than what this magazine is going to talk about. If we don't help educate the average computer user about how to be a good security consumer, little of what we do matters.

Dozens of times a day, we are security consumers. Every time we cross the street, we're buying security. When we brush our teeth in the morning, we're buying security. We buy security when we lock our door, or our car. When you reach down at a checkout counter to buy a candy bar and notice that the package has been opened, why do you reach for another? It's because for the price of the candy bar, you want to also buy as much security as you can.

Security is a consideration when we decide where to vacation. Cell phone companies advertise security as one of the features of one cellular system versus another. When we choose a neighborhood to live in, or where we park when we go shopping, one of the considerations in that choice is security.

As consumers, sometimes we have choices in what we buy and sometimes we don't. Airplane security is what it is; we can't choose to buy more or less of it. Banking security is largely dictated by government regulations; banks don't compete with each other on security. On the other hand, we can choose between different brands of door locks or wall safes based on security. We can either purchase a home alarm system or not. We can choose to fly, or decide to drive instead.

As security engineers, our goal is to design systems with better technical security. This magazine is devoted to the technical aspects of security engineering, but none of it will matter if we don't educate people in how to be smart security consumers. We need to teach people how to get involved in the security around them. We need to teach people how to shop for security, how to make comparisons, and how not to get taken. We need to provide people with a good bullshit detector so that they can spot ineffectual security and explain why.

This means that you will be able to get more security-and be safer-for the same trade-offs. Any consumer can get more if he spends more, but a smart consumer can get more without spending more. One of the goals of our profession is to enable people to maximize the amount of security they get for what they pay, but if we don't teach them how to do make the trade-offs our work will be in vain.

Security always involves trade-offs. It costs money, convenience, functionality, and freedoms like liberty or privacy. We need to teach people how to assess what kinds of security are good investments and which aren't. We can't tell people what they personally need, or what security policies to support, but we can give them the tools to make those decisions for themselves. We are all security consumers, and the smarter consumers we are, the more we can make security into something that betters our lives instead of worsens it.

Governments wants to tell its citizens what security we need. They want people to be passive security consumers, and accept what they are offered. They want people to not worry when they demand new police powers, or pass laws reducing civil liberties. Technology companies want similar things: for people to simply buy the cell phone or operating system or router and not worry about security.

We need to show people how to actively take charge of their own security. We need to help people make smart decisions. We need to help people improve their judgment. That, more than any technology, will make us all safer.

Categories: Computer and Information Security

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.