Book Reviews: Bruce Schneier, Beyond Fear

  • Priya Seetharaman
  • The Computer Journal
  • May 1, 2004

When one becomes more than an expert in an area, he or she generally begins to take a philosophical and abstract view of the subject and gains an ability to explain the essence of the subject in simplistic layman terms. That, in short, would describe Bruce Schneier’s book Beyond Fear.

It’s a question many of us need to ask ourselves. Are we really at risk? Or are we just afraid? Schneier provides us with hundreds of small examples repeatedly emphasizing the need to take another look at our reactions to the recent global security threats. Coming from an expert in security, and cryptologist, the book attempts to wash away the possibility of taking a standard approach to managing security. He dispels the notion that security is only for experts and convincingly proves that anyone can understand security.

The book is divided into three broad parts, the first of which sets the tempo and builds the broad idea of what security in the current environment means. Part 1, Chapter 1 discusses the basic five-point framework of the book, followed by Chapter 2, which brings out the risks and trade-offs involved in having security in place. Schneier talks about the subjectivity of security trade-offs depending on who the players are and the social environment in which they function. Chapter 3 extends the argument further by its discussion on the power agendas, conflicts of interest and proxies the players exhibit.

So how does the whole thing work? Part 2 describes this in an uncomplicated fashion. Chapter 4 talks about how simple security is also a system—a system that exists in a mesh of interactions amongst its individual countermeasures. Chapter 5 takes off from this and discusses the advantages of even partly knowing your potential attackers. What determines risks from these attackers? Attackers may change their instruments but never change their tunes. Chapter 6 explores this further and Schneier tells us why we need to look at the various threats and what their effects and risks are. Chapter 7 deliberates why and how technological advancement might itself cause additional security threats by making systems more complex, while Chapter 8 puts forth few strategies to either reduce vulnerabilities or secure systems despite vulnerabilities. Chapter 9 discusses how brittle systems often fail insecurely, responding to failure by continuing to function but without any security. The next chapter, Chapter 10, reminds us of the basic critical element in all systems—the people. The criticality of this element cannot be more emphasized than in the need to build its trust.

The following two chapters talk about the need for detection and the need for good response systems when detection of attack occurs, for ‘detection is useless without response’. The author draws an analogy with prisons to explain the concept of removal, deterrence and rehabilitation.

But a more important point that any measure to control should be accompanied by a measure to educate is well made. Chapter 13, the longest in the book, explains three very important concepts in security—identification, authentication and authorization in fairly simple terms. Chapter 14 describes why all countermeasures have some value but no countermeasure is perfect. His argument is that different defenses, at the right moment in the right mix can be extremely effective. The last chapter of this part ‘Fighting Terrorism’ explains the book’s fundamental five-point framework in the context of terrorism as a security threat and why the counter measures we have thus far adopted are far less effective than they appear. It is probably the symptoms we are treating and not the actual disease.

Chapters 16 and 17 of Part 3 deal with how to play the game of security. Chapter 16 puts things in perspective by describing the earlier chapters of the book in brief and paints the complete picture to fit in the overall framework. Negotiating for security not only involves iterating through the five questions for different options, but also understanding the environmental setting. In Chapter 17, the author provides some statistics to demystify the concept of absolute static security arguing that it is this dynamicity of security that makes it an ongoing process.

This book is not for experts unlike Schneier’s earlier books and is surely not your ABC of security basics book. However, it gives you the holistic picture of what security means. At the end of it you may not become the guru of security, but you will surely have more insights into the concept. Yes, it is about thinking sensibly. Flooded with examples not just from the hi-tech world but from the even more technologically complex nature, Schneier explains concepts that would have awed many of us at some point, in such simple building-block like fashion.

The book is not the fast-moving travel book and not even the casual reading type. Some examples do seem to be getting repetitive. But all the same, the book is lucid, elegantly written with a good logical flow. With copious illustrations, the book is a must-read for politicians and leaders to help them understand the impact of the excess fear instilled by their publicity stunts; managers to appreciate the need to understand the real threats and risks. The book makes for a very good reading for self-proclaimed security experts and lawyers—will help them guide and advise the affected in a truly insightful manner. IT professionals, and most importantly, students of networks and communication security, information systems and technology would find the book most useful to give them the conceptual grounding required to understand what security in an uncertain world really means. Finally, if you are none of these, but are merely looking for a book to understand security, this is surely the one for you.

Categories: Beyond Fear, Text

Sidebar photo of Bruce Schneier by Joe MacInnis.