Review: Beyond Fear
The subtitle, “Thinking about security in an uncertain world”, describes this book accurately. Schneier is a security consultant, offering a five-step approach to assess the merits of measures proposed to meet a perceived threat.
- What assets are you trying to protect?
- What are the threats to those assets?
- How well do the measures mitigate these risks?
- What other risks do these measures cause?
- What costs and trade-offs are involved?
His main theme is the threat from terrorism, exemplified by the attacks in the USA on September 11th, 2001, but he also discusses (for example) how householders can protect against intruders, travelers can best guard their possessions or users defend against credit card fraud.
It is not written for statisticians, but statisticians will recognize a kindred spirit. Schneier repeatedly asks us to keep matters in perspective: 3000 people were killed on “9/11”, but 40 000 Americans die each year in car crashes. On the journey from New York to Los Angeles, the most dangerous part is the drive to the airport; more people are killed by pigs than by sharks. He points out that, if face matching technology is even 99.9% accurate, and one person in 10 million who attends a sports stadium is a terrorist, there will be 10 000 false alarms to every terrorist caught. (And if a bomb does explode when you are there, you should stay in your seat, as the biggest danger then is injury from crowd panic.)
He has scorn for the way some well-publicized steps offer only an illusion of security. In a future edition, he might mention the traveler, recently flying between the UK and Italy, who had his passport inspected 11 times all told: yet when he reached home he found he had inadvertently taken his wife’s passport on the journey. Too much “security” can mean none at all.
There are tangential references to a framework for the analysis of risk. The final chapter suggests looking at security as a game, where each side has a raft of strategies, but this is not developed. Half a dozen tables offer assorted statistics on various causes of death, or the risk of nasty accidents.
The book takes a consistent approach to the evaluation of security measures and shows how the five steps listed can enable us to reach rational decisions. It has some nice anecdotes—I was not aware that, in Switzerland, house keys can be duplicated only by the lock manufacturer, and with a written request from the property owner. It would be a useful adjunct to anyone teaching a formal approach to risk analysis.