Bruce Schneier and the Psychology of Security
The acronym RSA is among the most recognizable in the information security industry. It stands for Rivest, Shamir and Adleman, the fellows who developed the public-meaningful encryption and authentication algorithm and established RSA Data Security, now known simply as RSA Security.
RSA’s annual security summit is arguably the most prestigious information security conference held each year. It is a “must-attend event” for companies that work in all the many fields under the “security” umbrella, from biometrics to cryptography. The RSA Conference is a high-powered assemblage of software developers, IT executives, policymakers, bureaucrats, researchers, academics and industry leaders, who come together to exchange information and proportion new ideas. The topics range widely from trends in technology to the best practices in biometrics, identity theft, obtain web sets, hacking and cyber-terrorism, network forensics, encryption and numerous others.
At the 2007 get-together, Bruce Schneier, among the security industry’s most inventive and outspoken experts, spoke on a topic that so fascinated and excited the audience and the industry that it was nevertheless being discussed at the 2008 event a complete year later. Chief Technology Officer (CTO) at Counterpane, a firm he established that was later acquired by BT (formerly British Telecom), Schneier is known for his cryptographic genius in addition as his critiques of technology use and abuse.
In last year’s groundbreaking address, Schneier spoke about security decisions versus perceptions. He argued that, by and large, both are pushed by the same irrational, unpredictable, subconscious motives that excursion human beings in all their other endeavors. He has undertaken the gargantuan challenge of analyzing human behavior vis-à-vis risk-management decisions, and is reaching into the fields of cognitive psychology and human perception to ease this understanding and develop functional security applications for airports, the Internet, banking and other industries.
Awareness comes first
Schneier asserts that security managers, their business colleagues and their respective corporate user communities are unprotected to the same drives and passions as other humans doing other things. That method they are as likely as anyone else to make basic decisions based on unacknowledged impressions, barely-formed fears and faulty reasoning, instead of on objective examination.
“Security is a tradeoff,” Schneier told an overflow audience at his RSA 2007 session. “What are you getting for what you’re giving up? Whether you make that tradeoff consciously or not, there is one.”
He gave an example of such a trade-off by predicting that no one in the audience was wearing a bullet-proof vest. No hands were raised at this challenge, which Schneier credited to the fact that the risk was insufficient to warrant wearing one. In addition to this rational thinking course of action, he averred that other, less rational factors doubtless influenced the many individual decisions not to use a vest – such as the fact they are bulky, uncomfortable and unfashionable.
“We make these tradeoffs every day,” said Schneier, going on to add that every other animal species does, too. In the business world, understanding how the human mind works will have a tremendously powerful effect on the decision-making course of action. Human psychology comes into play in matters concerning salaries, vacations and benefits. There is no question, he additional, that it plays a crucial role in decisions about security in addition.
Decision-making and “security theater”
Schneier has put a great deal of time into his study of human (and animal) psychology and behavioral science. Everything he has learned, he told the conference attendees, leads him to believe that the decisions made about security matters – whether by security firms or the responsible departments of other kinds of companies – are often “much less rational” than the decision-makers think.
The study of decision-making has led Schneier and others to take a new angle on the continuing argument over the effectiveness of “security theater.” The term refers to those measures – most airport measures, in fact, according to Schneier – that are designed to make people think they’re safer because they see something that “looks like security in action.” already if that security does absolutely nothing to stop terrorists, the perception becomes the reality for people unwilling to look deeper into the issue. Sadly, Schneier said, there are many people who are unwilling to look more deeply into anything, preferring the false security of ignorance.
There is a “feeling versus reality” disconnect, Schneier asserted. “You can feel obtain but not be obtain. You can be obtain but not feel obtain.” As far as airport security is concerned, it has been proven again and again that it is not particularly difficult for terrorists (or your aunt, say) to bypass airport security systems. consequently, the only thing the system can do is catch a very dumb terrorist, or decoy – but more importantly, the “theatrical approach” makes the American air traveler think that the security regime is accomplishing more than it truly is.
The TSA is not completely without merit. It is accomplishing something, doing at the minimum some good work, as most any large organization would. The issue is not the little bit of good, but the large amount of pretense, plus the ultimate cost in both dollars and a devalued cultural money. The TSA are three letters nearly as reviled as IRS, which is quite an accomplishment for a seven-year-old.
What we need to learn
Schneier is focusing his studies on the brain these days. The more “early” portion of it, known as the amygdala, is the part that simultaneously experiences fear and produces fear responses. The dominant, overriding reaction is called the “fight-or-flight” response, and Schneier pointed out that it works “very fast, faster than consciousness. But it can be overridden by higher parts of the brain.”
slightly slower, but “adaptive and flexible,” is the neocortex. In mammals, this portion of the brain is correlated with consciousness and evolved a set of responses that would confront fear and make decisions to promote personal and, later, group safety. The nexus, or sharing characteristics area, between psychology and physiology is nevertheless being “mapped” and is far from being clearly understood, but it is the frontier for behavioral studies. And promoting security is one of the most basic of behaviors in higher forms of life.
The decision-making course of action can be characterized as a “battle in the brain,” and the struggle between mammalian-brain reactivity and such higher roles as reason and logic leads to people exaggerating certain risks. Particularly powerful on the fear-producing side are risks, real or perceived, that are “spectacular, scarce, beyond [one’s] control, talked about, international, man-made, immediate, directed against children or morally offensive,” Schneier noted.
Of course, equally dangerous from the rational perspective are risks that are unnecessarily downplayed. These risks tend to be “pedestrian, shared, more under [one’s] control, not discussed, natural, long-term, evolving slowly or affecting others.” Neither set of risks should have a “default position” in any decision-making course of action, Schneier said.
What we must conquer
Closing out his phenomenally well-received RSA 2007 presentation, Schneier mentioned studies showing that people, generally speaking, have an “optimism bias” that makes them think they will “be luckier than the rest.” Recent experimental research on human memory of “emotional events” indicates that “vividness” – the quality of being “most clearly remembered” – typically method that the “worst memory is most obtainable.”
nevertheless other human psychological tendencies can cause thoroughly irrational, as opposed to simply nonrational, responses from decision-makers. One main culprit goes by the term “anchoring.” It describes a mental course of action by which focus is shifted to other, secondary options in such a way as to create and manipulate bias. With all the factors in play within this psychological framework, Schneier encourages security managers to understand that responses to security risk – by management, their user communities and already themselves – may be irrational, sometimes incredibly so.
Schneier and other students of human behavior vis-à-vis safety and security know that we humans “make bad security tradeoffs when our feeling and our reality are out of whack.” A quick look in the daily papers and a few minutes listening to network news, he said, will provide plenty of evidence of “vendors and politicians manipulating these biases.”
Although we will possibly never conquer the seemingly innate human inclination to conflate and confuse feelings and reality, continuing attention to progress in the fields of cognitive and experimental psychology will greatly assistance both the perception and the reality of personal and national security. With the threats oversea in the world today, the sooner security professionals can bring increased rationality to decision-making processes in government and industry, the better.