The Psychology of Security

I ran across a thought provoking essay by Bruce Schneier on The Psychology of Security that I don't believe has been mentioned here previously. An interesting read from a number of perspectives, and probably something given too little explicit consideration in making our own choices regarding security, as well as understanding what drives others in rendering their selections.

Blue

 

would you prefer
(a) a machine full of security which slows you down but protects you from 95% of risk or
(b) a faster machine with little security but might mean you have to restore a clean image once every 5 years or so ?

Thanks - have taken a PDF for my files - The arguments are well made and apply to many fields

 

Naturally, one of the implied points of the article is that a machine can be "full of security" and you may feel perfectly secure because of that, but that it may really protect you from (I'm pulling a number out of the air here) 5% of the actual threats.

If you're talking about an "every 5 year" situation, that's probably not "little security". That's a decent solution.

It's all about the tradeoffs that we make in how we approach a problem, and I will trade draconian protective measures (that will add security) for useability. I will try to make that tradeoff from an informed and realistic position. A specific case in point would be some of the point-counterpoint patching going on in the light virtualization world (see here for example, post 37 onward). I think those adjustments are needed as they appear and it's heartening seeing the vendors quickly address those issues, but they do not effect me at the moment, nor do I adjust what I do because of those "gaps".

The same is true with respect to shifts in challenge test results that appear all the time and reflect the point-in-time ebb and flow of the performance of specific security measures (AV's, for example). Rather than constantly shift between or juggle a plethora of solutions, I try to assess whether a shift is a normal fluctuation or long term degradation in performance, whether it's pragmatically important, and whether the cost in learning the quirks of another approach is higher than staying put. The timescale over which I tend to implement any change is more on a year timeframe basis than weeks or months. I understand that this strategy itself also needs to be fluid as well.

Blue

 

An interesting read indeed, thanks Blue for the illumination about this essay.

/C.

 

Brilliant! THX for sharing Blue

 

One of the points that Mr. Schneier captured quite well was the trade-offs involved in developing an operationally viable solution. Yes, those trade-offs are unique to each of us - and they depend on a number of variables such as experience, support needs, usage profiles, hardware, and so on - but we all need to make them, and we all do make them.

What strikes me in many threads here and elsewhere is the frequent positing of what appear to be security solutions (either product, configuration, or platform based) as absolutes. However, if one accepts that there are trade-offs which need to be made, an immediate corollary is that there are no absolute best solutions. There's an optimization of a solution relative to the collected trade-offs.

That's an important message to appreciate since some of the more heated discussions here and elsewhere seem to follow from a failure to appreciate the specific trade-offs that we've all made along the way. Furthermore, a large part of the ongoing security discussion in these forums could profitably focus on a dispassionate analysis of the objective quality of those trade-offs, since that often allows a user to figure out "what to do".

At least IMHO.

Blue

 

For every situation there is a best solution. We may not know that that solution is and indeed it may even be unknowable. The right combination of trade offs could lead to an approximation of that best solution. In practice, however, I think that you are more of an optimist than I, certainly more of an idealist. Take an element of tribalism, add a dash of cognitive dissonance and you have a typical wilders "debate". Having bought into the argument for such and such product the user naturally gravitates to those who also own the product. Tribal loyalties develop and the fans take sides. The strange thing is not that this rigid thinking occurs but that over time change does occur. Look at posts from a few years back and some of the solutions you will see would be ones that members today might prefer to forget.

 

It's really no different than simple mathematics - you can have multiple local and global maxima, they just happen to all have the same value. Add a bit of fuzziness to reflect reality, and there can be plenty of "best solutions"

All too true...

Let's not forget - at the time, they might have been the true globally optimum solution. But times change...

Blue

 

wow blue another great post.I very much enjoyed

 

He lost me after "It's".

 

Interesting read Blue

 

Nice to read but that won´t change anything even if we are aware we´ll act mainly subconscious, imo.

 

Simply brilliant

 

Holy crap, did you guys read all of this? Can perhaps someone give a quick summary?

 

Life is a Trade Off

 

and your prior experiences and familiarity with the situation have a large impact on how you make that trade-off.

The other obvious one - the perception of being secure and actually being secure are very different. It's very possible to have either one without the other.

Blue