Bruce Schneier: More on the Broad View of Security
By Derek Slater
Bruce Schneier's evolution of interests is well documented, moving from encryption to broader and broader perspectives on security. (Hence his recent appearance on 60 Minutes, commenting on TSA's airport screening procedures.) To bring wider perspectives to bear on security issues, Schneier (Chief Security Technology Officer at BT) held in 2008 the first Workshop in Security and Human Behavior, with participants from a broad swath of disciplines including economics, psychology and more. Schneier spoke with CSOonline about his multidisciplinary view of the field and plans for 2009.
CSO: What was the biggest surprise or most enlightening development at the Workshop in Security and Human Behavior?
For example, a lot of the seemingly irrational security trade-offs that the behavioral economists have documented can be explained by the evolutionary psychologists. And the effectiveness of social engineering with regards to computer attacks can, in part, be explained by those working in deception detection.
Gary Steele, the CEO of Proofpoint, mentioned recently that they have hired a bunch of people with backgrounds in gene sequencing, because it's all about pattern matching and thus directly applicable to problems like large-scale spam detection. What other fields are already contributing directly to security in surprising ways?
Are you planning another workshop for 09, and how might it differ from the first?
On a different note, your blog post "FBI Stoking Fear" calls to mind of a conundrum in security, particularly regarding low-probability, high-impact events. After 9/11 some media outlets described those attacks as 'unimaginable', but of course they had been imagined and written about in some detail. Now we see that Mumbai had various warnings or intelligence reports. But it's hard to differentiate communications about "could happen" and "might have been tossed around in an online forum" and "likely to happen" in a meaningful way (particularly given that an internal FBI memo may become external, etc.) . How should companies in particular think about these things?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.