 
|
Extended version of article in May/June 2007 issue Interview: Bruce SchneierBT Counterpane’s founder and chief technology officer talks to SA Mathieson at Infosecurity Europe
Bruce Schneier packed out the show's keynote theatre when he spoke about 'The Psychology of Security', based on a draft essay he published in February. He outlined a range of research suggesting that our perceptions of a given risk are heightened if it is - among other things - spectacular, discussed widely, outside our normal experience or willingly taken rather than beyond our control. Such biases are ideal for hunter-gatherers living in small family groups in Kenya in 100 000BC, he argues, but not for modern life. So how does this apply to infosecurity risks? "The obvious place is the people who are afraid of cyber-terrorism, while minimising cyber-crime," he says. "Cyber-terrorism gets the news, it's the hot topic, it's the scary topic and people are afraid of it. Cyber-crime doesn't get as much news, and I think people very much underplay that threat. You see it also when people overplay the threat of peer-to-peer, or they get all scared of people bringing their iPods in and maybe putting data on it. They forget that data could walk out on paper. So there is a lot of people reacting to the news, instead of to the reality of security. Now, it's hard to blame them. This is what's reported, this is what people worry about, but I think there's a big difference in how people perceive internet security and what's really going on. "I've always said that I think the industry spends about the right amount of money on internet security, it's just spent really, really badly, and that's because people are missing what the threats are. What areas do infosecurity professionals underspend on? "I think they underspend on the risks of financial fraud, I think they pretty much ignore reputational risks. We find a lot of examples in the United States where large data thefts result in a measurable change in your stock-price, and it's not a good change. I think companies really don't even think about those sorts of risks. These fall into the category of very rare, but very devastating attacks, and it's hard to adequately deal with those, because your normal insurance model of average loss expectancy doesn't work very well. "On the other hand, some things are doing very well. If you have a decent anti-virus program, you're doing phenomenally. If you keep your patches up to date, if you pay attention, if you've got some good services for dealing with the threat of the day, you're likely to emerge pretty unscathed. Now, you might have to pull some overtime, here and there, but you know, that's part of the job. So that kind of stuff I think we have largely well in hand. You have two sets of companies, you have the companies that get it, who are investing in these security measures, and you have the companies that don't, who aren't, and they just get whacked. "I think companies underestimate the severity of insider threat, they're mostly concerned about attacks from the outside and downplay the threats from the inside. But this is true all over humanity. In the United States, most kidnapping happens by relatives, yet we're afraid of the stranger sneaking in to our child's bedroom. Most credit card fraud happens from someone who lives in the same house as you do. You are most likely to be killed violently by someone you know than by a stranger, yet in our head, it's exactly the reverse. We fear the unknown, and on your computer, you're most likely to be hacked by someone in your company, not outside your company. Now this is hard, it's much easier to build a wall to keep the bad guys out. If the bad guys are already inside, you've hired them, it's much harder. One of the best things we do at Counterpane is catch insiders, because no-one else does, and it's very satisfying when we do. One of the flaws in our judgement of risk, according to Schneier's essay, is our preference of a sure gain of £1 to a 50% chance of £2 - or even £4 - but we prefer to gamble when it comes losing money. "In general, what psychological research shows is that people are risk-averse when it comes to gain, and risk-seeking when it comes to losses," he says. "You see this in IT when companies are ignoring these extremely low probability, high damage events. They are risking a large loss, because in their heads that's a better deal than spending the money to mitigate it, even if financially the math works out the other way. That's just the cognitive bias we have as people." There are others: "Optimism bias is, 'it won't happen to me'. So you open the paper and you read about this company that got hacked, and there's all this damage, you're the CEO and you say, 'ha ha, it happened to that guy, it won't happen to me, I won't worry about it'. The smart CEO looks and says, 'wow, that could have been me, let's work out what the risk is, and shall we mitigate it'." So can infosecurity professionals guard against our inherent cognitive biases? "Our brain has been built not to be a computer, not to be rational, not to be logical," he says. "There are ways to train around it. It's hard, and it involves education and training. This is the kind of thing where you teach policemen not to react with their gut, but to stop and think. You want to train a CEO to think about risk, and a lot of business tries to do this. It doesn't do it in security very well, but I think it can be fixed."So the answer is education and ignoring gut instinct? "Or at least understanding where your gut instinct goes wrong," Schneier says. "If you understand the pathologies, you can correct them. If I know I see things as more optimistic than they are, I can know that and correct it, just like if I know that I see blue darker than it really is, I can in my head correct for it." The aim of the paper is to highlight our biases: "Here's how the brain works when it's thinking about security, we as security technologists need to understand this. BT has a risk cockpit, this fancy console that it uses to show executives what their security posture on the network is. If we don't know the cognitive biases of the people looking at it, we're not going to design it well - that's just the way it is. We will do a better job if we know how things will be perceived." Interview continues on page two
More from Infosecurity Europe 2007 Extended version of interview with Ray Stanton Online-only interview with Eugene Kaspersky Cybercrime
unreported due to reputation risks More from the May/June issue Perfect database security
is a fairytale, says William Knight
|
|
