According to Bruce Schneier, one of the foremost experts on security in the world (and a top executive at BT), security is both a feeling and a reality. And those two things, though related, are definitely not the same.
‘Schneier argues that security is also a feeling, based not on probabilities, but on your psychological reactions to both risks and countermeasures.’
- Bruce Schneier
Solving complex security problems is about breaking them into smaller and simpler steps. He’s developed five key questions that put all security choices – made by governments, companies or individuals – into context, showing the trade-offs that are required and their consequences.
Security is an amalgam of emotion and rationality
Schneier believes the reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, for example, based on factors like the crime rate in your neighbourhood and whether you lock your doors or not. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or at home by a family member. Or how likely you are to suffer identity theft. Given enough statistics, it’s not even hard; insurance companies do it all the time.
We can also calculate how much more secure a burglar alarm will make your home, or how well a credit freeze will protect you from identity theft.
But, Schneier argues that security is also a feeling, based not on probabilities, but on your psychological reactions to both risks and countermeasures. You might feel terribly afraid of terrorism, or you might feel it’s not worth worrying about. You might feel safer when removing your shoes at airport security gates, or you might not. You might feel you’re at a high risk of burglary, medium risk of murder, and low risk of identity theft. And your neighbour, in the exact same situation, might feel that he’s at high risk of identity theft, medium risk of burglary, and low risk of murder.
Or, more generally, you can be secure even though you don’t feel secure. And you can feel secure even though you’re not. The feeling and reality of security are certainly related to each other says Schneier, but they’re just as certainly not the same as each other. In fact, we’d probably be better off if we had two different words for them.
Schneier, who happens also to be CTO at BT Counterpane, a world-class security practice that helps companies and governments protect their assets, manage risk, ensure business continuity and simplify regulatory compliance, has written a recent book, called Beyond Fear that investigates how people and companies can deal with a complex thing like security.
‘The feeling and reality of security are certainly related to each other...but they’re just as certainly not the same as each other’
- Bruce Schneier
A five-step approach
He seeks to demystify security, by breaking it down into smaller and simpler steps. He develops a five-step process to analyze and evaluate security systems, technologies and practices. Each of the five steps contains a key question that helps you focus on your particular security choices, whether that be the purchase of new security software or the company-wide implementations of specific countermeasures. The five questions really help you determine which kinds of security make sense and which don’t.
1, What are you trying to protect?
This question might seem basic, but a surprising number of people never ask it. Answering the question effectively means understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system and a nation against terrorism are all different security problems requiring different solutions.
2. What are the risks to those assets?
Here Schneier considers the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it and why.
3. How well does the security solution mitigate those risks?
Another seemingly obvious question, but one, Schneier believes, that is regularly ignored. If the security solution doesn’t solve the problem, it’s no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.
4. What other risks does the security solution cause?
This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects Schneier says, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
5. What costs and trade-offs does the security solution impose?
Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
Schneier applies these five questions to some of the critical security challenges faced today, examining, for example the debate about the need for national ID cards and countering the terrorist threat among other issues.
He delivers some surprising and often counter-intuitive conclusions and argues that, contrary to popular belief, security is not mysterious, nor even hard. What is hard is separating the hype from what realty matters.
Schneier invites his readers to move beyond fear and to start thinking sensibly about security. He shows that security is much more than CCTV, armed guards or having photo IDs in every wallet or purse. He shows that expensive gadgets and technological cure-alls often obscure the real security challenges.
Bruce Schneier’s non-alarmist, straight-talking, sensible approach is a welcome antidote to much of the hyperbole spouted by other security experts. It needs to be read by every government official and company manager that is responsible for making choices about security.
Read this influential risk resilience text in full at:
Beyond Fear – Thinking Sensibly About Security in an Uncertain World by Bruce Schneier, published by Springer Science & Business Media, 2006