Black Hat 2012: Schneier says Trust & Reputation Trump Technology

“Society needs to rebalance and that’s hard to get right”, Schneier said. “There’s a natural security gap because of the natural advantage that the attacker has – they get to make the first move and have a shorter procurement cycle. They can make use of innovations faster than the defense/security community can.”

On top of this, Schneier said that the police – “raised on Agatha Christie novels” – often don’t have cyber training. “That adds to the built-in delay”.

Technology, Schneier argues, is only part of our defense. “Living in a time of the greatest technology ever, there is also the greatest security gap.” As security people, Schneier considered, “we’re unable to build mechanisms that only do good.” Schneier expressed a desire for the information security community to be honest, agile, and reactive. “The notion of ‘If you buy my widget you will be safe’ was never true.”

Trust and reputation are a great part of our defense, Schneier argued. “Trust is pervasive and natural in our society. Sometimes, being trustworthy simply means being compliant.” It’s this notion, in addition to the concept of reputation, which often ensures people behave in a trustworthy and compliant fashion.

Very often, Schneier said, people behave better if they suspect someone is watching them or their reputation is at risk. “Look at the ebay reputation system – it’s a weird system but it works well. It’s low-cost and high pay-off, and ebay suffers less fraud than it would without this system.”

“Most of us don’t steal because we know it’s wrong and we’d feel bad – this comes from inside our heads, but is enough of a security mechanism to keep most people conforming.” Schneier used attendee behaviour at Black Hat to support his point. “We mostly behave well. We’re not violent to the people sat next to us and we don’t sing and dance during somebody’s presentations. We sniff passwords, of course, but that’s just what we do here.”

One hundred percent conformity and societal pressure is “bad for society”, Schneier argued. “Society needs defectors – more security isn’t always better. We need to look at security from a different perspective.

“When something big and bad happens, people wonder why the measures weren’t in place to prevent it. When security is working, people wonder why we’re spending so much money on it”, finished Schneier. This comment seemed to resonate well with his audience.

What’s Hot on Infosecurity Magazine?