Bruce Schneier, CSTO, BT Global Services
Over the last couple of years I’ve been exploring the idea that security is both a feeling and a reality and that by failing to account for the psychology of security, we’re missing a crucial aspect.
The reality of security is founded in mathematics based on the probability of different risks and the effectiveness of different countermeasures. But security is also a feeling, based not on probabilities but on your psychological reactions to both risks and countermeasures. For example, you might feel safer when removing your shoes at airport security gates, or you might not. More generally, though, you can be secure even though you don’t feel secure. And you can feel secure even though you’re not.
Security problems are, by definition, inherently complex. The best way to solve complex security problems is to break them into smaller and simpler steps. In Beyond Fear [Copernicus Books, 2003], I outlined five key questions that put all security choices – made by governments, companies or individuals – into context, showing the trade-offs that are required and their consequences.
A Five-Step Approach
We can go part of the way to demystifying security by breaking it down into smaller and simpler steps. Each of the five steps contains a key question that helps you focus on your particular security choices, whether they involve the purchase of new security software or a company-wide implementation of specific countermeasures. The five questions help you determine which kinds of security make sense and which don’t.
1. What are you trying to protect?
This question might seem basic, but a surprising number of people never ask it. Answering the question effectively means understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems requiring different solutions.
2. What are the risks to those assets?
Answering this question involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it and why.
3. How well does the security solution mitigate those risks?
This is another seemingly obvious question, but one, I believe, that is routinely ignored. If the security solution doesn’t solve the problem, it’s no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.
4. What other risks does the security solution cause?
This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
5. What costs and trade-offs does the security solution impose?
Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
If you apply these five questions to some of today’s critical security challenges, you end up with some surprising and often counterintuitive conclusions. Contrary to popular belief, security is not mysterious, nor even difficult. What is difficult is separating the hype from what really matters.