Book Review: Beyond Fear: Thinking Sensibly about Security in an Uncertain World
Security is a tax on the honest. Schneier, in his book’s last chapter, fittingly titled Security Demystified, explains that in a world of honorable and law abiding citizens our lives would be a lot simpler. Unfortunately, this is not the case: during our life we are constantly facing dangers and risks and often have to evaluate complex tradeoffs that involve the safety of ourselves and the people we love.
For thousands of years the planning of security was conducted by specialists working on isolated domains like defense, banking, or civil aviation. Security decisions, good or (often) bad, were not publicized and the general public was kept in the dark regarding important security tradeoffs and weaknesses. Advances in information and networking technology have resulted in immensely increased requirements for secure applications and associated algorithms and protocols to conduct e-commerce, store private data, and communicate on the open internet. As a result, a new generation of security researchers started working in an open environment of scientific discourse and exchange, publishing their results in the open literature and communicating across previously isolated domain boundaries. These efforts have made information security an important element of computer science with a systematized body of knowledge and accepted practices. Bruce Schneier, a respected member of the information security community, in his book Beyond Fear is taking the trip in the opposite direction, applying the knowledge he gained from his practice in IT security in handling security decisions in our everyday lives.
The book’s publication is exceptionally timely. A number of spectacular terrorist activities have resulted in many governments taking exceptional measures in the name of improving national security. Although security decisions in our private life are important and often tricky (is one more likely to be killed by a shark or a pig?—a pig, writes Schneier) the same decisions at the level of a country are critical, since they affect the type of society we will live in and the freedoms we will (or will not) enjoy. The book, written in a very clear and jargon-free style, will allow anyone to take correct and informed decisions on both fronts.
Beyond Fear is divided into three parts. The first introduces security as a matter of making appropriate, often subjective, trade-offs. The second part is essentially a tutorial on the working of security in the real world. Through many interesting and often entertaining anecdotes Schneier explains how systems fail, the role of attackers and defenders, the imbalances created by technology, the issue of brittleness, and the weakest link phenomenon. Separate chapters deal with detection, response mechanisms, identification, authentication, authorization, countermeasures, and fighting terrorism. In many cases Schneier analyzes important exemplar security problems through a five-step risk analysis process, which is also presented as a negotiation tool in the book’s last part: 1) what assets are we trying to protect? 2) what are the associated risks? 3) how well does the security solution mitigate them? 4) what other risks that the security solution cause? 5) what trade-offs does the security solution require? One would only wish that this rational thinking would be followed more often when implementing security measures.
Could the book be improved? The author’s overly US-centric view often appears parochial to a non-US reader: the 9/11 attacks although important from geopolitical point of view, are given far more attention than Schneier’s advocated risk analysis method would suggest; the discussion on identity cards ignores the problems these cards solve in everyday transactions in many European and other countries. Also, although the book had a very complete index, the lack of bibliographic references means that readers will not be able to trace the discussed facts back to their original sources. Both blemishes are minor however compared to the book’s accomplishment: a solid and rational treatment of everyday security that a layperson can understand and apply in practice.