Review of Beyond Fear
Security is a complex business. If you’re looking at the security of a computer network, for example, you can’t just look at the physical characteristics of the system. Humans help protect the system, and humans attack it. Yes, most humans aren’t clever enough to create their own attacks, but they can master the rudimentary skills required to go after the system using automated tools the innovators create.
But how do you evaluate a security system, whether it’s meant to protect a computer, an airport, or an individual? In Beyond Fear, security expert and founder of Counterpane Internet Security, Bruce Schneier advocates a five-part analytical framework:
- Step 1: What assets are you trying to protect?
- Step 2: What are the risks to the assets?
- Step 3: How well does the security solution mitigate those risks?
- Step 4: What other risks does the security solution cause?
- Step 5: What trade-offs does the security solution require?
The questions themselves seem straightforward, but there’s a lot going on when you move through each step. Identifying the assets at risk is fairly straightforward, but the rest of the steps in the process can be problematic. And how do you analyze the security risks? Companies often hire outside teams to test their physical and computer security schemes, but even that relatively objective analysis isn’t enough. As Schneier notes in the introduction to Chapter 3:
Most security decisions are complicated, involving multiple players with their own subjective assessments of security. Moreover, each of these players also has his own agenda, often having nothing to do with security, and some amount of power in relation to the other players, In analyzing any security situation, we need to assess these agendas and power relationships. The question isn’t which system provides the optimal security trade-offs—rather, it’s which system provides the optimal security trade-offs for which players.
Schneier brings the eye of an experienced analyst to the problems posed by security systems of all sorts. It’s that experience that lets him make observations such as noting that, if he wanted to explode a bomb at an airport, the best place to do it would be in one of the huge security checkpoint lines (p. 113). Or that if you have a 99.9% effective face-recognition system at a Tampa Bay football game with photos of all known terrorists, the system would falsely identify 75 non-terrorists per game while identifying a real terrorist every 133 games. At that point, the security personnel will understand that the system is always wrong and will begin ignoring the results (p. 189). In fact, Schneier completes his discussion of security systems by devoting an entire chapter to an explicit discussion of the human aspect of security. Casino security professionals use the initialism “JDLR”, which is short for “just don’t look right”. And that sense of what do and don’t look right can mean the difference between lots of people watching a security checkpoint line and a lot of people dead in one.
Beyond Fear is an important book because it takes the complex world of security and boils it down to an understandable framework. The framework is what it is, but the sample analyses Schneier spreads throughout the book are where the real meat lies. Building on the concepts learned in the chapter, the situations Schneier lays out effectively cement the lessons in the readers mind. Anyone with an interest in security, let alone a need to secure their own systems, should study Beyond Fear.