The Psychology of Security

Discussion in 'other security issues & news' started by BlueZannetti, Jan 23, 2008.

Thread Status:
Not open for further replies.
  1. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I ran across a thought provoking essay by Bruce Schneier on The Psychology of Security that I don't believe has been mentioned here previously. An interesting read from a number of perspectives, and probably something given too little explicit consideration in making our own choices regarding security, as well as understanding what drives others in rendering their selections.

    Blue
     
  2. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    would you prefer
    (a) a machine full of security which slows you down but protects you from 95% of risk or
    (b) a faster machine with little security but might mean you have to restore a clean image once every 5 years or so ?

    Thanks - have taken a PDF for my files - The arguments are well made and apply to many fields
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Naturally, one of the implied points of the article is that a machine can be "full of security" and you may feel perfectly secure because of that, but that it may really protect you from (I'm pulling a number out of the air here) 5% of the actual threats.
    If you're talking about an "every 5 year" situation, that's probably not "little security". That's a decent solution.

    It's all about the tradeoffs that we make in how we approach a problem, and I will trade draconian protective measures (that will add security) for useability. I will try to make that tradeoff from an informed and realistic position. A specific case in point would be some of the point-counterpoint patching going on in the light virtualization world (see here for example, post 37 onward). I think those adjustments are needed as they appear and it's heartening seeing the vendors quickly address those issues, but they do not effect me at the moment, nor do I adjust what I do because of those "gaps".

    The same is true with respect to shifts in challenge test results that appear all the time and reflect the point-in-time ebb and flow of the performance of specific security measures (AV's, for example). Rather than constantly shift between or juggle a plethora of solutions, I try to assess whether a shift is a normal fluctuation or long term degradation in performance, whether it's pragmatically important, and whether the cost in learning the quirks of another approach is higher than staying put. The timescale over which I tend to implement any change is more on a year timeframe basis than weeks or months. I understand that this strategy itself also needs to be fluid as well.

    Blue
     
  4. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    An interesting read indeed, thanks Blue for the illumination about this essay.

    /C.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Brilliant! THX for sharing Blue
     
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    One of the points that Mr. Schneier captured quite well was the trade-offs involved in developing an operationally viable solution. Yes, those trade-offs are unique to each of us - and they depend on a number of variables such as experience, support needs, usage profiles, hardware, and so on - but we all need to make them, and we all do make them.

    What strikes me in many threads here and elsewhere is the frequent positing of what appear to be security solutions (either product, configuration, or platform based) as absolutes. However, if one accepts that there are trade-offs which need to be made, an immediate corollary is that there are no absolute best solutions. There's an optimization of a solution relative to the collected trade-offs.

    That's an important message to appreciate since some of the more heated discussions here and elsewhere seem to follow from a failure to appreciate the specific trade-offs that we've all made along the way. Furthermore, a large part of the ongoing security discussion in these forums could profitably focus on a dispassionate analysis of the objective quality of those trade-offs, since that often allows a user to figure out "what to do".

    At least IMHO.

    Blue
     
  7. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    For every situation there is a best solution. We may not know that that solution is and indeed it may even be unknowable. The right combination of trade offs could lead to an approximation of that best solution. In practice, however, I think that you are more of an optimist than I, certainly more of an idealist. Take an element of tribalism, add a dash of cognitive dissonance and you have a typical wilders "debate". Having bought into the argument for such and such product the user naturally gravitates to those who also own the product. Tribal loyalties develop and the fans take sides. The strange thing is not that this rigid thinking occurs but that over time change does occur. Look at posts from a few years back and some of the solutions you will see would be ones that members today might prefer to forget.
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    It's really no different than simple mathematics - you can have multiple local and global maxima, they just happen to all have the same value. Add a bit of fuzziness to reflect reality, and there can be plenty of "best solutions"
    All too true...
    Let's not forget - at the time, they might have been the true globally optimum solution. But times change...

    Blue
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    wow blue another great post.I very much enjoyed :)
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    He lost me after "It's".:rolleyes:
     
  11. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Interesting read Blue :thumb:
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Nice to read but that won´t change anything even if we are aware we´ll act mainly subconscious, imo.
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Simply brilliant :)
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Holy crap, did you guys read all of this? Can perhaps someone give a quick summary? :blink:
     
  15. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Life is a Trade Off
     
  16. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    and your prior experiences and familiarity with the situation have a large impact on how you make that trade-off.

    The other obvious one - the perception of being secure and actually being secure are very different. It's very possible to have either one without the other.

    Blue
     
Loading...
Thread Status:
Not open for further replies.