Security in Perspective: Liars and Outliers
Most of us experience “security” from one of two vantage points: as the threatened or as the threat. The power held over us by those who peddle, prescribe, and implement security can be—let’s just say it can chafe a bit. Bruce Schneier is known for lampooning the wasteful and invasive security measures in our airports, warning of the dangers posed by unchecked surveillance, and blogging about squids. In Liars and Outliers, though, he offers a paradigm that could (should) transform how we view security.
The core idea is that societies require trust to function. Societies exert various kinds of forces—moral, reputational, institutional, and security—on their members to encourage behavior that induces trust and trustworthiness. Most often, security becomes necessary as societies grow too large for the other mechanisms to be effective. So the ultimate goal of security is to increase trust, and it does so not on its own but as a supplement to these other mechanisms.
To me, the biggest implication here is that the goal of security is to increase trust in the society, not just to lock down anything and everything up to its value. The quantitative risk analysis used regularly by security professionals—if not by Congress and the TSA—seems astoundingly narrow compared to the basic questions suggested by Schneier’s model: What is the society? What are the desired and defecting behaviors? What are the moral, reputational, and institutional forces at work and how are they failing? Will a proposed security system have side-effects that impact trust in the society? I believe thoughtful answers to these questions will produce much more effective and human-friendly security systems. Just as often, they’ll bring to light effective non-security solutions.
That brings us to the other big lesson here: Sometimes, security is not the answer. You may be able to increase trust by strengthening the other mechanisms, redefining the society, or manipulating the incentives to defect. For example, an online review system might introduce a reputation-based voting system instead of building a computer program to root out shills and trolls.
Anyone who’s concerned with any kind of “society”—from softball team to online forum to corporation to national government—could benefit from the framework presented Liars and Outliers. And we should all hope this book makes it into the hands of those entrusted with the security of our airports, infrastructure, and information systems.