Management Week Security Book Review: Book Lowers Fear of Threats
Bruce Schneier’s latest book on data security offers a logical and realistic approach to creating policies and educating staff.
Security guru Bruce Schneier has written several books but is best known for his first: Applied Cryptography. One problem with this earlier work is that it demands a high level of mathematical understanding.
His latest book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, is designed to help ordinary IT staff, business managers and end-users get to grips with current security issues.
The guide could prove useful for IT managers wanting to convey the importance of information security for the wider business, for example when negotiating budgets or attempting to get projects signed off.
Beyond Fear is an easy-to-read guide to the main issues of security.
The book offers a dispassionate review of the threats facing firms and individuals, and covers problems ranging from script kiddies and hackers to terrorists and activists.
The book opens with an overview on sensible security and how to make rational decisions about security policy. The second section, offers detailed breakdowns of security systems, from national identity card schemes to burglar alarms.
Schneier puts forward a simple five-point process to help firms assess each security procedure. He says firms must first decide which assets they want to protect. Then they should analyse the risks to those assets, and estimate how well current or proposed security solutions mitigate them. Finally, they need to consider any new risks the security solutions might bring and what costs and trade-offs the solutions impose.
The author points out that the appropriate level of security will involve a trade off in terms of protection and investment. For example, the use of buggy software and unreliable human systems can undermine security measures, but removing all bugs and all human vulnerabilities may be expensive and time consuming – if not impossible.
Security professionals must therefore take into account the value of the data to be protected, and the costs if it were exposed, before suggesting or budgeting for appropriate defences.
The book does not attempt to assess the many security packages in the market; instead, Schneier focuses on the deeper issues. By applying logic to the various security solutions, he argues that firms could get some surprising results.
He points out that while some security systems may look very good to the untrained eye, they may actually create more problems than they solve.
In fact simple low-cost measures have often proved effective.
The book also offers a detailed analysis of biometric security and ID card schemes, and it argues that these technologies in fact have major weaknesses. It concludes by offering tips for negotiating appropriate security measures.
It is very easy to suppose that technology can offer a quick fix to security.
But Schneier shows that in the real world the building of good policies and practices is the key to security, and is often not expensive or intrusive. The life of the IT security officer is never easy, since the sign of success is that nothing happens. Schneier says the human element is often the weak point in firms’ defences, and hackers can exploit this, by tricking staff into revealing passwords for example.
This book should help IT professionals explain to business managers and other users the complex issues of effective security in terms that are easy to understand.
Words of Warning
Excerpts from Beyond Fear by Bruce Schneier; published by Copernicus Books; £23; ISBN: 0-387-02620-7
We must take the economic and social components of any attack into account when we try to understand the threats.
Most engineering involves making systems work. Security engineering involves making sure they don’t fail.
We have all sorts of security systems in place defending us against all sorts of threats, but the primary thing keeping our society from complete anarchy is human nature.