Bruce Schneier, Chief Security Technology Officer, British Telecom, presented some abstract and cutting edge ideas about security at the LISA conference this year. The topic of re-conceptualizing security presented some new insights and perspectives into what we think of security.

One example Schneier gave was about risk heuristics. The best way to describe risk heuristics is to present some of the example Schneier speaks of: Take afree collector mug, for example, . If one were to give the mug away (or any other object) the object automatically has value. Schneier spoke about some other examples of the components of risk heuristics:

“There are a number of other heuristics involved, the optimism bias, which is that bad things always happen to certain people.”

Another common security misnomer made by the general public is that we tend to exaggerate rarities, because they are well, rare. For example, try to think of some words with K as the first letter, you can rattle off a list of words starting with K. Now try to think of words with K as the third letter. Which is much more difficult.

Take these two statements, for example:
Linda is a bank teller.
Linda is a bank teller and active in the feminist movement.

With these two statements, the second one causes the reader to focus more on the fact that Linda is a feminist, rather than a bank teller, even though the fact she is a feminist is merely a small attribute to her more accurate identity as a bank teller.

Schneier spoke about the difference between the feeling of security, and the reality of security. He made the point that the feeling of security is much more important to most people, because it is their perception which causes them to feel secure or not.

Scheneir speaks about “Security Theater” and Security Models

Security, by design is supposed to make you feel better, so if the market drives security, then the economic incentive is to make people feel secure, rather than to actually make them secure. Schneier refers to this behavior as “Security Theater”. Security Theater is necessary to a certain extent reasons Schneier, but it is also most obvious when there is no realized increase in security, yet claims are being made to make people simply feel better.

Child kidnapping is exaggerated by the media and is an exaggerated security model. Schneier makes the point that very few child kidnappings happen each year, and family members commit the majority of kidnappings; however, the media exaggerates this security model using elements of Security Theater.

The new global warming crisis is much closer to reality than feeling, which is why most people reject it or simply do not care as much. Compare this to child kidnapping, which plays on peoples emotions and feelings of security, so it gets much more attention.

Suggestions on Security

When analyzing security models, look for agendas and subjectivity. In these cases most likely they are trying to manipulate you to benefit them.

We use proxies to get good information. We trust our doctor as a proxy to prescribe us the right medication; we do not prescribe the medication ourselves.

There is a certain value in security theater, for example, it saved the over the counter drug companies with the poisoned Tylenol incident. The simple fact is that if someone wanted to poison Tylenol and put it back on the shelf, there are many ways they could still do this and subvert the “tamper-proof” cap.

Schneier made the point that we need to focus on giving better models to bring security and the way we utilize security back to facts.

“Every year, there is a new reality in a world of technology”.
– Bruce Schneier