Trading Off Crime with Terrorism

Chris Gibbons
World at Six
May 16, 2007

Security is a trade, says BT's Chief Technical Officer Bruce Schneier: and currently we're trading off the risk of crime on the internet today with the big, scary 'cyber terrorism', which is largely a media creation. Here's more.

Chris Gibbons: Well coming up at the end of the month, 22 to 25 May, in fact is the IT Web Security Summit. Now in recent years, security has dominated the corporate agenda. And while there has been significant effort expended in protecting organisational resources, security incidences have been on the rise, the risk of exposures, the confidential customer, corporate and personal information is at an all time high.

So the key speaker at the forthcoming summit is our next guest, he is on the line from Chicago in the United States, he is an internationally renowned security technologist, author, he is a BT Counterpane Internet Security Founder, also the Chief Technical Officer Bruce Schneier.

Bruce good evening to you South African time, good morning to you in Chicago. You argue that security is a trade off. Tell us more about that and how does one decide on what exactly needs trading off. How do you go about it?

Bruce Schneier: Well, we all know security is a trade off. We get something and we give something up. Do we spend money for a burglar system or spend extra time in airport lines because of increased security and we get some security and we give up something.

And it is important to look at security as that business decision and you make that decision with information. We make bad security trade offs when we don’t understand risks of the costs, how effective the security is. So a lot of it is about making smart decisions with information and not emotional decisions.

Chris Gibbons: How good are companies or their managers at making the security trade offs? Can you give us some examples of bad trade offs, things that can go horribly wrong?

Bruce Schneier: Well we tend to be good at making trade offs when it is stuff that we are familiar with. We all make trade offs about the security risks of dealing in foreign countries or foreign currencies or excess inventory. These are all risks of the business that we make trade offs about.

We tend to be less good when they are technological and we don’t understand the technology. So for example, we might not adequately protect our networks and the very bad things happen and it costs us a lot of money and that is an easy example. Or something happens and we get our name in the newspapers, a bank that is having really bad security that is a bad thing. And it is because the technological risks are complicated, so we don’t understand them as well as the normal business risks that we are used to.

Chris Gibbons: You talk in your writings about the need to stay in touch with the reality. Now knowing the facts of where your biggest risks are, what do you mean when you say that?

Bruce Schneier: Well see, this is more trade off. We have only so much money, time, whatever, to spend on security. So you want to spend it on the important risks and not the risks that are minor that even if they are the risks in the newspapers, is that they are not the risks to worry about.

So again, it is staying in touch with the reality of your situation and not what is big in the press, but what is going on is your network that you should care about. And if you do that, you are more likely to get the security right, than if you don’t.

Chris Gibbons: So why then do people make irrational security trade offs?

Bruce Schneier: Well there are a whole lot of reasons and I have written lots of papers on the psychology of this. A lot of it is because we as a species are really bad at some of these technological risks. We are very emotive, we respond to stories a lot more than data and big and spectacular is just scarier than common.

So to make good security trade offs, we sort of need to go against our psychological tendencies, we need to go against what we do naturally and do it smarter. And a lot of that is about training, it is about knowledge, it is about experience, and all the smart things that help you succeed in business, help you succeed in security too.

Chris Gibbons: Bruce I need you to delve a little bit deeper into that one for me, which are the risks that we tend to exaggerate and which are the ones that we in fact down play?

Bruce Schneier: I will give you an easy one: right now we are grossly exaggerating the risk of terrorism. At the same time, we are underplaying the risk of crime, especially on the internet. Crime is a huge risk on the internet today and yet, you read the articles, you see who is getting the money, it is cyber terrorism, it is this big scary bugaboo which I think is largely a media creation. So there is an example of responding to the risk that makes the press rather than the risk that is real.

Chris Gibbons: Okay, then what impact, if we go down that road, what impact are these psychological reactions to risk having in business environments, particularly in terms of businesses securing their information, data and their computer systems?

Bruce Schneier: Well what they do is they make you make bad trade offs. It is important to make security decisions based on real data. What are the real risks, to you, how valuable the data is, and not based on fears that are stocked by stories or the media or whatever inputs you are getting.

Now, this is smart, we know we are making investment decisions based on real data and not based on random things that friends say. But we don’t think about it that much in terms of security decisions. So it makes it different so that if you are rational, if you are smart, if you get your data, if you pay attention, you are going to do better in business because you are going to make smarter decisions.

Chris Gibbons: Fascinating perspective, I look forward to hearing Bruce Schneier speak at the IT Web Security Summit May 22 to 25. Bruce Schneier on the line from Chicago in the United States, he is BT Counterpane Internet Security Founder, also their Chief Technical Officer. Bruce thank you for been with us on The World at Six.

earlier story: Bedre på sikkerhet, verre for brukerne
later story: Is Security a Solvable Problem?
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..