January 12, 2009, 11:20 AM — Bruce Schneier's evolution of interests is well documented, moving from encryption to broader and broader perspectives on security. (Hence his recent appearance on 60 Minutes, commenting on TSA's airport screening procedures.) To bring wider perspectives to bear on security issues, Schneier (Chief Security Technology Officer at BT) held in 2008 the first Workshop in Security and Human Behavior, with participants from a broad swath of disciplines including economics, psychology and more.
Schneier spoke with CSOonline about his multidisciplinary view of the field and plans for 2009.
CSO: What was the biggest surprise or most enlightening development at the Workshop in Security and Human Behavior? The most interesting aspect of the workshop was how different the ways in which people were thinking about the same sorts of issues. Security is fundamental to many different disciplines, sometimes more explicitly than others, and different researchers have been working on the same sorts of problems, within their own discipline, for years. It was fascinating getting everyone in the same room and talking to each other.
For example, a lot of the seemingly irrational security trade-offs that the behavioral economists have documented can be explained by the evolutionary psychologists. And the effectiveness of social engineering with regards to computer attacks can, in part, be explained by those working in deception detection.
Gary Steele, the CEO of Proofpoint, mentioned recently that they have hired a bunch of people with backgrounds in gene sequencing, because it's all about pattern matching and thus directly applicable to problems like large-scale spam detection. What other fields are already contributing directly to security in surprising ways? Lots of disciplines contribute to security in surprising ways all the time. Security is an application as well as a discipline, so developments in many areas affect security. Think about the invention of the radio, which completely changed the world of policing. Or computing technology. Or automobile technology, used by both police and bank robbers. Or number theory, which was completely academic until Diffie and Hellman invented public key cryptography. Or, well, everything else.
Are you planning another workshop for 09, and how might it differ from the first? We are. Originally we thought that we should focus the workshop more, on a specific problem, but then we decided to do it the same way as the first: to have 50 or so people come together and talk about the particular aspect of security and human behavior that they're working on. What's most valuable about the workshop is the interactions between disciplines, and we want to encourage that as much as possible.
On a different note, your blog post "FBI Stoking Fear" calls to mind of a conundrum in security, particularly regarding low-probability, high-impact events. After 9/11 some media outlets described those attacks as 'unimaginable', but of course they had been imagined and written about in some detail. Now we see that Mumbai had various warnings or intelligence reports. But it's hard to differentiate communications about "could happen" and "might have been tossed around in an online forum" and "likely to happen" in a meaningful way (particularly given that an internal FBI memo may become external, etc.) . How should companies in particular think about these things? People tend to estimate the probability of something happening based on how easy it is to bring instances of that thing to mind. So it's easy to overestimate the probability of something that actually happened, and to underestimate the probability of something that didn't happen. You see this cognitive bias when people talk about how likely a past outcome was: Monday morning quarterbacking, it's called. It's important not to lose sight of real probabilities. With regards to terrorism, any one attack -- either tactic or target -- is very unlikely, but it's easy to get wrapped up in defending against exactly what the terrorists did last time. It's far better to invest in security that defends against a broad spectrum of attcks: intelligence, investigation, and emergency response.
