Schneier: In Touch With Security's Sensitive Side

http://www.darkreading.com/document.asp?doc_id=116153&WT.svl=news1_1





Schneier: In Touch With Security's Sensitive Side




FEBRUARY 1, 2007 | Cryptologist and now, psychologist: Renowned security 
expert Bruce Schneier once again is turning security on its head -- 
literally. Schneier will share his latest research and insight at the RSA 
conference next week on the interplay between psychology and security. 
(See Schneier On Schneier.) 
Schneier says the goal of his talk at RSA is not to discuss security 
technologies or tactics, but to explain how people think, and feel, about 
security. "A lot of the time at RSA, we are just puzzled why people don't 
secure their computers, and why they behave irrationally. Psychology has a 
way of explaining this," he says. "If we in the [security] industry expect 
to build products, we need to understand our customers." 
The focus of Schneier's latest research -- which he says could culminate 
in his next book -- is brain heuristics and perceptions of security. He 
says security is both a reality and a feeling, with reality based on 
probability and risk, and feeling based on your psychological reaction to 
risk and "countermeasures" to security threats. 
Often, our perception of risk doesn't match reality, and neuroscience can 
help explain this, he says. Perception of risk is often seared into our 
brains. Schneier says people are typically more afraid of flying than 
driving, for instance, even though statistically it's safer to take the 
plane. The brain's two systems of assessing risk -- the amygdala (in 
charge of processing senses like anger, avoidance, fear), and the 
neocortex, which gives us analytical processing -- don't really work in 
concert when it comes to perception versus reality of security. 
Trouble is, it's difficult for the netocortex to "contradict" the 
amygdala, he says. The neocortex is a "newer" part of the brain that is 
still evolving, he notes. And the neocortex is the part of the brain that 
makes decisions on security "tradeoffs," he says. So sometimes, we make 
security decisions based more on emotion or perceptions than logic. 
"Security is both a reality and a feeling," Schneier writes in a paper 
he'll be making public soon. And you can be secure even if you don't feel 
that way, or you can feel secure even if you're not, he notes. 
Not many (if any) security experts weigh psychology into the equation, but 
then again, Schneier is not just any security guru. His work started as a 
cryptographer and has since evolved into an expert on everything physical 
security, including airport and school security. Schneier is also the the 
bestselling author of Applied Cryptography (as well as other books) and BT 
Counterpane's top security guy. 
Schneier says the trouble with vendors missing the psychological component 
in security is that their products then fail. "The RSA show floor is 
filled with products that nobody uses. They don't install, they configure 
badly, or they don't actually work," he says. The user/human interface 
aspect of a product is more important than the technology, he says. 
"Our problem as technologists is we can't pretend people don't exist. We 
must build security for people," he says. 
He admits the human interface aspect of security products has improved. 
But security doesn't have the best track record in getting in touch with 
the person behind the user: email encryption, for example, didn't take 
off. "Over the years, no one used encryption" in email, he says. "It had 
nothing to do with the technology," but instead the ease of use, he says. 
So how do you get into security customers' heads? Schneier says it's 
really not that hard. "The ways that they think about security decisions 
is actually very rational and predictable if you understand" the 
underlying brain heuristics and psychology, he says. "It's not 'look how 
dumb people are' but 'look how clever the brain is,' " he says. Getting a 
handle on brain heuristics can also help understand how attackers take 
advantage of them, too, he says. 
The flip side of this: How can security customers make sure they don't 
make bad security decisions that are based on incorrect perceptions? 
Schneier says he doesn't know if you can change brain chemistry for this. 
"My belief is that making you aware of it goes a long way," he says. "If 
you can understand you are just reacting from fear, you have a better shot 
at?understanding these human biases. Hopefully you can short-circuit them 
and improve on them and make it so we are not slaves to this," he says. 
"Fear is brain chemistry, but so is reason. We have to figure out how 
reason can trump fear." 
If anyone can solve that puzzle, it's Schneier. 
? Kelly Jackson Higgins, Senior Editor, Dark Reading

Received on Monday, 5 February 2007 22:29:02 UTC