psychology of security Archives - Page 22 of 26

Entries Tagged "psychology of security"

Page 22 of 26

MySpace and U.S. Attorneys General Agree to Fight Sexual Predators

MySpace has reached an agreement with the attorneys general of 49 states—Texas sat out—to protect children from sexual predators on the site.

The attorneys general are all congratulating themselves, as is MySpace—and there’s a lot of commentary out there. To me, this all seems like much ado about nothing.

The measures—details here—won’t do anything to stop child predators on MySpace. But, on the other hand, there isn’t really any problem with child predators—just a tiny handful of highly publicized stories—on MySpace. It’s just security theater against a movie-plot threat. But we humans have a well-established cognitive bias that overestimates threats against our children, so it all makes sense.

Posted on January 17, 2008 at 1:12 PM • View Comments

Fear Is Unhealthy

The New York Times writes about a plausible connection between fear and heart disease:

Which is more of a threat to your health: Al Qaeda or the Department of Homeland Security?

An intriguing new study suggests the answer is not so clear-cut. Although it’s impossible to calculate the pain that terrorist attacks inflict on victims and society, when statisticians look at cold numbers, they have variously estimated the chances of the average person dying in America at the hands of international terrorists to be comparable to the risk of dying from eating peanuts, being struck by an asteroid or drowning in a toilet.

But worrying about terrorism could be taking a toll on the hearts of millions of Americans. The evidence, published last week in the Archives of General Psychiatry, comes from researchers who began tracking the health of a representative sample of more than 2,700 Americans before September 2001. After the attacks of Sept. 11, the scientists monitored people’s fears of terrorism over the next several years and found that the most fearful people were three to five times more likely than the rest to receive diagnoses of new cardiovascular ailments.

[…]

After controlling for various factors (age, obesity, smoking, other ailments and stressful life events), the researchers found that the people who were acutely stressed after the 9/11 attacks and continued to worry about terrorism—about 6 percent of the sample—were at least three times more likely than the others in the study to be given diagnoses of new heart problems.

If you extrapolate that percentage to the adult population of America, it works out to more than 10 million people. No one knows what fraction of them might consequently die of a stroke or heart attack—plenty of other factors affect heart disease—but if it were merely 0.0003 percent, that would be higher than the 9/11 death toll.

Of course, statistics of any sort, even when the numbers are rock solid, don’t mean much to people when they’re assessing threats. Risk researchers have found that even when people know the numbers, they’re less worried about death tolls than about how the deaths occur. They have good reasons—called “rival rationalities”?—for fearing catastrophes that kill large numbers at once because these events affect the whole community and damage the social fabric.

It doesn’t surprise me that fear of terrorism is more harmful than actual terrorism. That’s the whole point of terrorism: an amplification of fear through the mass media.

Refuse to be terrorized:

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

And we’re doing exactly what the terrorists want.

[…]

The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn’t make us any safer.

Posted on January 17, 2008 at 7:35 AM • View Comments

Your Brain on Fear

Interesting article from Newsweek:

The evolutionary primacy of the brain’s fear circuitry makes it more powerful than the brain’s reasoning faculties. The amygdala sprouts a profusion of connections to higher brain regions—neurons that carry one-way traffic from amygdala to neocortex. Few connections run from the cortex to the amygdala, however. That allows the amygdala to override the products of the logical, thoughtful cortex, but not vice versa. So although it is sometimes possible to think yourself out of fear (“I know that dark shape in the alley is just a trash can”), it takes great effort and persistence. Instead, fear tends to overrule reason, as the amygdala hobbles our logic and reasoning circuits. That makes fear “far, far more powerful than reason,” says neurobiologist Michael Fanselow of the University of California, Los Angeles. “It evolved as a mechanism to protect us from life-threatening situations, and from an evolutionary standpoint there’s nothing more important than that.”

I’ve already written about this sort of thing.

Posted on January 9, 2008 at 6:10 AM • View Comments

Computerworld Australia Interview

I was interviewed by Computerworld Australia.

Posted on January 7, 2008 at 2:36 PM • View Comments

The Sham of Criminal Profiling

Malcolm Gladwell makes a convincing case that criminal profiling is nothing more than a “cold reading” magic trick.

A few years ago, Alison went back to the case of the teacher who was murdered on the roof of her building in the Bronx. He wanted to know why, if the F.B.I.’s approach to criminal profiling was based on such simplistic psychology, it continues to have such a sterling reputation. The answer, he suspected, lay in the way the profiles were written, and, sure enough, when he broke down the rooftop-killer analysis, sentence by sentence, he found that it was so full of unverifiable and contradictory and ambiguous language that it could support virtually any interpretation.

Astrologers and psychics have known these tricks for years. The magician Ian Rowland, in his classic “The Full Facts Book of Cold Reading,” itemizes them one by one, in what could easily serve as a manual for the beginner profiler. First is the Rainbow Ruse—the “statement which credits the client with both a personality trait and its opposite.” (“I would say that on the whole you can be rather a quiet, self effacing type, but when the circumstances are right, you can be quite the life and soul of the party if the mood strikes you.”) The Jacques Statement, named for the character in “As You Like It” who gives the Seven Ages of Man speech, tailors the prediction to the age of the subject. To someone in his late thirties or early forties, for example, the psychic says, “If you are honest about it, you often get to wondering what happened to all those dreams you had when you were younger.” There is the Barnum Statement, the assertion so general that anyone would agree, and the Fuzzy Fact, the seemingly factual statement couched in a way that “leaves plenty of scope to be developed into something more specific.” (“I can see a connection with Europe, possibly Britain, or it could be the warmer, Mediterranean part?”) And that’s only the start: there is the Greener Grass technique, the Diverted Question, the Russian Doll, Sugar Lumps, not to mention Forking and the Good Chance Guess—all of which, when put together in skillful combination, can convince even the most skeptical observer that he or she is in the presence of real insight.

[…]

They had been at it for almost six hours. The best minds in the F.B.I. had given the Wichita detectives a blueprint for their investigation. Look for an American male with a possible connection to the military. His I.Q. will be above 105. He will like to masturbate, and will be aloof and selfish in bed. He will drive a decent car. He will be a “now” person. He won’t be comfortable with women. But he may have women friends. He will be a lone wolf. But he will be able to function in social settings. He won’t be unmemorable. But he will be unknowable. He will be either never married, divorced, or married, and if he was or is married his wife will be younger or older. He may or may not live in a rental, and might be lower class, upper lower class, lower middle class or middle class. And he will be crazy like a fox, as opposed to being mental. If you’re keeping score, that’s a Jacques Statement, two Barnum Statements, four Rainbow Ruses, a Good Chance Guess, two predictions that aren’t really predictions because they could never be verified—and nothing even close to the salient fact that BTK was a pillar of his community, the president of his church and the married father of two.

Posted on November 14, 2007 at 6:47 AM • View Comments

Suicide Bombing in Halo 3

Interesting and thoughtful article about suicide attacks in the online video game Halo 3:

Whenever I find myself under attack by a wildly superior player, I stop trying to duck and avoid their fire. Instead, I turn around and run straight at them. I know that by doing so, I’m only making it easier for them to shoot me—and thus I’m marching straight into the jaws of death. Indeed, I can usually see my health meter rapidly shrinking to zero.

But at the last second, before I die, I’ll whip out a sticky plasma grenade—and throw it at them. Because I’ve run up so close, I almost always hit my opponent successfully. I’ll die—but he’ll die too, a few seconds later when the grenade goes off. (When you pull off the trick, the game pops up a little dialog box noting that you killed someone “from beyond the grave.”)

It was after pulling this maneuver a couple of dozen times that it suddenly hit me: I had, quite unconsciously, adopted the tactics of a suicide bomber—or a kamikaze pilot.

It’s not just that I’m willing to sacrifice my life to kill someone else. It’s that I’m exploiting the psychology of asymmetrical warfare.

Because after all, the really elite Halo players don’t want to die. If they die too often, they won’t win the round, and if they don’t win the round, they won’t advance up the Xbox Live rankings. And for the elite players, it’s all about bragging rights.

I, however, have a completely different psychology. I know I’m the underdog; I know I’m probably going to get killed anyway. I am never going to advance up the Halo 3 rankings, because in the political economy of Halo, I’m poor.

Posted on November 12, 2007 at 1:20 PM • View Comments

Psychoecology and the DHS

Weird:

The Department of Homeland Security (DHS) has gone to many strange places in its search for ways to identify terrorists before they attack, but perhaps none stranger than this lab on the outskirts of Russia’s capital. The institute has for years served as the center of an obscure field of human behavior study—dubbed psychoecology—that traces it roots back to Soviet-era mind control research.

[…]

SSRM Tek is presented to a subject as an innocent computer game that flashes subliminal images across the screen—like pictures of Osama bin Laden or the World Trade Center. The “player”—a traveler at an airport screening line, for example—presses a button in response to the images, without consciously registering what he or she is looking at. The terrorist’s response to the scrambled image involuntarily differs from the innocent person’s, according to the theory.

Posted on September 24, 2007 at 7:34 AM • View Comments

Perceptions of Risk

Another article about risk perception, and why we worry about the wrong things:

Newsrooms are full of English majors who acknowledge that they are not good at math, but still rush to make confident pronouncements about a global-warming “crisis” and the coming of bird flu.

Bird flu was called the No. 1 threat to the world. But bird flu has killed no one in America, while regular flu—the boring kind—kills tens of thousands. New York City internist Marc Siegel says that after the media hype, his patients didn’t want to hear that.

“I say, ‘You need a flu shot.’ You know the regular flu is killing 36,000 per year. They say, ‘Don’t talk to me about regular flu. What about bird flu?'”

Here’s another example. What do you think is more dangerous, a house with a pool or a house with a gun? When, for “20/20,” I asked some kids, all said the house with the gun is more dangerous. I’m sure their parents would agree. Yet a child is 100 times more likely to die in a swimming pool than in a gun accident.

Parents don’t know that partly because the media hate guns and gun accidents make bigger headlines. Ask yourself which incident would be more likely to be covered on TV.

Media exposure clouds our judgment about real-life odds. Of course, it doesn’t help that viewers are as ignorant about probability as reporters are.

Much of what’s written here I’ve said previously, and it echoes this article from Time Magazine (and also this great op-ed from the Los Angeles Times).

EDITED TO ADD (7/13): A great graphic.

Posted on August 22, 2007 at 1:43 PM • View Comments

Security Theater

Nice article on security theater from Government Executive:

John Mueller suspects he might have become cable news programs’ go-to foil on terrorism. The author of Overblown: How Politicians and the Terrorism Industry Inflate National Security Threats, and Why We Believe Them (Free Press, 2006) thinks America has overreacted. The greatly exaggerated threat of terrorism, he says, has cost the country far more than terrorist attacks ever did.

Watching his Sept. 12, 2006, appearance on Fox & Friends is unintentionally hilarious. Mueller calmly and politely asks the hosts to at least consider his thesis. But filled with alarm and urgency, they appear bewildered and exasperated. They speak to Mueller as if he is from another planet and cannot be reasoned with.

That reaction is one measure of the contagion of alarmism. Mueller’s book is filled with statistics meant to put terrorism in context. For example, international terrorism annually causes the same number of deaths as drowning in bathtubs or bee stings. It would take a repeat of Sept. 11 every month of the year to make flying as dangerous as driving. Over a lifetime, the chance of being killed by a terrorist is about the same as being struck by a meteor. Mueller’s conclusions: An American’s risk of dying at the hands of a terrorist is microscopic. The likelihood of another Sept. 11-style attack is nearly nil because it would lack the element of surprise. America can easily absorb the damage from most conceivable attacks. And the suggestion that al Qaeda poses an existential threat to the United States is ridiculous. Mueller’s statistics and conclusions are jarring only because they so starkly contradict the widely disseminated and broadly accepted image of terrorism as an urgent and all-encompassing threat.

American reaction to two failed attacks in Britain in June further illustrates our national hysteria. British police found and defused two car bombs before they could be detonated, and two would-be bombers rammed their car into a terminal at Glasgow Airport. Even though no bystanders were hurt and British authorities labeled both episodes failures, the response on American cable television and Capitol Hill was frenzied, frequently emphasizing how many people could have been killed. “The discovery of a deadly car bomb in London today is another harsh reminder that we are in a war against an enemy that will target us anywhere and everywhere,” read an e-mailed statement from Sen. Joe Lieberman, I-Conn. “Terrorism is not just a threat. It is a reality, and we must confront and defeat it.” The bombs that never detonated were “deadly.” Terrorists are “anywhere and everywhere.” Even those who believe it is a threat are understating; it’s “more than a threat.”

Mueller, an Ohio State University political science professor, is more analytical than shrill. Politicians are being politicians, and security businesses are being security businesses, he says. “It’s just like selling insurance – you say, ‘Your house could burn down.’ You don’t have an incentive to say, ‘Your house will never burn down.’ And you’re not lying,” he says. Social science research suggests that humans tend to glom onto the most alarmist perspective even if they are told how unlikely it is, he adds. We inflate the danger of things we don’t control and exaggerate the risk of spectacular events while downplaying the likelihood of common ones. We are more afraid of terrorism than car accidents or street crime, even though the latter are far more common. Statistical outliers like the Sept. 11 terrorist attacks are viewed not as anomalies, but as harbingers of what’s to come.

Lots more in the article.

Posted on August 15, 2007 at 6:18 AM • View Comments

Phishing Studies

Two studies. The first one looks at social phishing:

Test subjects received an e-mail with headers spoofed so that it appeared to originate from a member of the subject’s social network. The message body was comprised of the phrase “hey, check this out!” along with a link to a site ostensibly at Indiana University. The link, however, would direct browsers to www.whuffo.com, where they were asked to enter their Indiana username and password. Control subjects were sent the same message originating from a fictitious individual at the university.

The results were striking: apparently, if the friends of a typical college student are jumping off a cliff, the student would too. Even though the spoofed link directed browsers to an unfamiliar .com address, having it sent by a familiar name sent the success rate up from 16 percent in controls to over 70 percent in the experimental group. The response was quick, with the majority of successful phishes coming within the first 12 hours. Victims were also persistent; all responses received a busy server message, but many individuals continued to visit and supply credentials for hours (one individual made 80 attempts).

Females were about 10 percent more likely to be victims in the study, but male students were suckers for their female friends, being 15 percent more likely to respond to phishes from women than men. Education majors had the smallest disparity between experimental and control members, but that’s in part because those majors fell for the control phish half the time. Science majors had the largest disparity—there were no control victims, but the phish had an 80 percent success rate in the experimental group.

Okay, so no surprise there. But this is interesting research into how who we trust can be exploited. If the phisher knows a little bit about you, he can more effectively target your friends.

And we all know that some men are suckers for what women tell them.

Another study looked at the practice of using the last four digits of a credit-card number as an authenticator. Seems that people also trust those who know the first four digits of their credit-card number:

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued thecard.

“People think [the phrase] ‘starting with’ is just as good as ‘ending with,’ which of course is remarkable insight,” he said.

Another attack comes to mind. You can write a phishing e-mail that simply guesses the last four digits of someone’s credit-card number. You’ll only be right one in ten thousand times, but if you send enough e-mails that might be enough.

EDITED TO ADD (8/14): Math typo fixed.

Posted on August 14, 2007 at 11:45 AM • View Comments

←Previous 1 … 20 21 22 23 24 … 26 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.