The Psychology of Security

Too bad we don’t have separate words for security the mathematical reality and security the psychological feeling, because they are as distinct as air and water. At one time Schneier maligned the psychology of security, what he called security theater to make people feel safe even at the expense of being safe. But, in an interview with CSO’s Scott Berinato, he says the more he learns about the human brain, the more he’s coming around to see value in security theater.
CSO: I want to talk about the presentation you’re giving at RSA on the psychology of security. I think this is very interesting. We’ve talked to you quite often in the past, and you continue to evolve in both your view of security and what you find interesting about security. Talk to me about how this talk arrived. Bruce Schneier: Well, it’s odd. My career seems like an endless series of generalizations, and recently I’ve been studying the economics of security. I guess, more generally, how people come to make security tradeoffs, because it seems increasingly clear as we wander around the world that people aren’t very good at it. And there’s a body of research on--in behavioral economics that looks at how people make decisions and what their pathologies or heuristics or biases are, and that led me to read about the psychology of decision-making and the psychology of risk. And it turns out--I mean, I had no idea that there are a bunch of psychologists and sociologists that study how people deal with risk, with security, with when they feel safe and when they don’t. And I think this information, this research, is really germane to us in computer security trying to design products and services that work, trying to get our employees or our family members or our fellow citizens to employ good security practices. How they approach security is really relevant and actually really interesting. CSO: It seems particularly germane in security because so much of it is sort of hidden. It’s hard for us to touch it. And so what security is and what it feels like on a computer are two totally different things, which it turns out--in general it seems like you’re saying security is a feeling and a reality. Schneier: Something I said way back when I wrote Beyond Fear is that technology makes this harder because it obscures the inner workings of what’s going on. I mean, if we’re making risk decisions based on our perceptions, a lot of stuff is hidden when you get involved in computers. And it’s not just things like the website hides who’s behind it, whether it’s legitimate or fake, but even the inner workings of an e-mail program or a firewall. We don’t understand it the same way we might understand an analog--let’s say, in a gate in a city wall and someone who monitors who goes in and out. So yeah, technology does obscure how things work, and that makes things harder. CSO: Now, this notion of the security feeling versus the security reality is something that we’re all kind of aware of but maybe we don’t internalize, and I know you’ve talked about sort of your evolution on this topic where you once--you say you maligned this idea, and you’ve kind of come around on that. Do you want to talk about that a little bit? Schneier: Well, it’s interesting, and since there are really two words, right? Security is a feeling and it’s a reality, and they’re not the same things. You can feel secure even though you’re not, and you can be secure even though you don’t feel it. So, in a sense, we actually need two different words here, but we have the same word and we’re forever conflating the two. And I would always malign what I called security theater as security that doesn’t make you any more secure and just makes you feel secure, right? As a security professional, that is a complete waste of resources. It doesn’t actually do anything except make you feel better, as palliative. But if you think about it in a broader context, there’s real value to that, right? There’s not security value, but there is perceptual value. So an easy example would be the National Guard troops that were stationed at airports in the months after September 11th, and people who flew might remember them. They were sitting just inside airport security checkpoints. They had big, scary-looking guns which had no bullets. Now, that was probably a good idea because these are all kids, but that’s largely security theater. It doesn’t make us safer, but if you remember the social climate back then, people were afraid to fly. A little security theater went a long way into helping our economy recover. So in a broader perspective, it might not be such a bad idea. CSO: Just the other day we had the reverse of this in Boston, Massachusetts, when a viral marketing campaign kind of got out of hand. The advertisement firm--excuse me--had placed small electronic LiteBrites with cartoon characters in them, LiteBrite-like devices, under bridges and sort of conspicuous public places. And they had been there for two weeks, but somebody happened to notice them this day and reported them, and you ended up with the opposite economic effect. People were afraid, bomb squads were called in, these things were blown up. There was a massive mobilization before anybody realized what these were. Do you want to talk a little bit about the reverse effect of security theater? Schneier: Well, in a sense, you can argue that’s security theater, too. I mean, that was an overreaction. That was a security response that made no sense, given what happened. If you look at the pictures of these things, they are not bombs, and anybody who confuses them with bombs just isn’t paying attention. And, in fact, what

seems like was happening now is the city of Boston is desperately trying to pretend that they were not acting ridiculously, that they were not just not paying attention. They’re trying to prosecute the people who did this, claiming that they were hoax bombs, which makes no sense. If I hand you, I don’t know, a tuna fish sandwich and you run away screaming, I didn’t give you a hoax bomb, you’re just an idiot, and there seems to be an issue with that. But that really does illustrate the difference of reality and perception. The perception of security was completely divorced from the reality of security, and a lot of effort was spent seemingly to make us more secure when it actually didn’t. I mean, it ended up being a waste. Now, the way to fix this, of course, is training. You don’t want people to--you don’t want policemen, especially, to react based on subjective fears. You want them to know what to do when they see something suspicious--what is a reasonable measured response?--until you figure out what it is. CSO: One of the things I love about some of your thinking on the psychology of security that you’ll be talking about at RSA is this delving into the brain, which we seem to be doing more and more, looking at the brain and how the brain works as a--maybe not an explanation, but at least a contributing factor in our actions. And talk to me a little bit about the amygdala and the neocortex and what you’ve discovered about its affect on both perceived and real risk. Schneier: Well, it really does explain what happens, and it turns out that dealing with risk is something core in living things. Very early in evolution we have to learn how to handle risk and survive, and the creatures that are good at doing this, that are good at making security tradeoffs on the fly, fast and effectively, live to reproduce, and the ones that aren’t get eaten or die. So evolutionarily, we get very, very good at dealing with risk. So it’s important when you look at the brain not to say, well, we’re messing it up badly, but to be impressed of how good we do with such limited resources. Unfortunately, when you’re dealing in a world of malicious intelligence, you have the ability for things to go wrong either by accident or because someone manipulates them. So what you find is there are sort of two basic systems that handle risk in the brain, and they are actually completely separate. One of them is very, very primitive. This first showed up in fishes. And it’s the amygdale, which is what triggers the fight-or-flight reflex. It makes your palms sweaty, it pumps adrenalin into you. It happens lightningfast, before your conscious brain is aware of what’s going on. You have been primed by this primitive brain to deal with the risk, and this is what happens at the core. Now, we as humans have developed consciousness. We’ve developed the ability to override that part of the brain. Maybe we want to stand our ground in face of the charging wooly mammoth, because if we do that, we get dinner. We as humans can do that, whereas more primitive life forms can’t. So we have this whole other conscious brain which is trying to override that, and that in itself is difficult. But now the conscious brain has all sorts of heuristics and biases to deal with the risk, right? We’re not computers, we’re not mathematical. We do things quickly based on rules of thumb, and these rules of thumb are usually pretty brilliant. They are surprisingly accurate, and you look at them and you stare in wonder at the cleverness of the brain to come up with these. But they can be made to fail.