Bruce Schneier and the Psychology of Security

The acronym RSA is among the most recognizable in the information security industry. It stands for Rivest, Shamir and Adleman, the fellows who developed the public-key encryption and authentication algorithm and founded RSA Data Security, now known simply as RSA Security.

RSA’s annual security summit is arguably the most prestigious information security conference held each year. It is a “must-attend event” for companies that work in all the many fields under the “security” umbrella, from biometrics to cryptography. The RSA Conference is a high-powered assemblage of software developers, IT executives, policymakers, bureaucrats, researchers, academics and industry leaders, who come together to exchange information and share new ideas. The topics range widely from trends in technology to the best practices in biometrics, identity theft, secure web services, hacking and cyber-terrorism, network forensics, encryption and numerous others.

At the 2007 get-together, Bruce Schneier, among the security industry’s most inventive and outspoken experts, spoke on a topic that so fascinated and excited the audience and the industry that it was still being discussed at the 2008 event a full year later. Chief Technology Officer (CTO) at Counterpane, a firm he founded that was later acquired by BT (formerly British Telecom), Schneier is known for his cryptographic genius as well as his critiques of technology use and abuse.

In last year’s groundbreaking address, Schneier spoke about security decisions versus perceptions. He argued that, by and large, both are driven by the same irrational, unpredictable, subconscious motives that drive human beings in all their other endeavors. He has undertaken the gargantuan challenge of analyzing human behavior vis-à-vis risk-management decisions, and is reaching into the fields of cognitive psychology and human perception to facilitate this understanding and develop practical security applications for airports, the Internet, banking and other industries.

Awareness comes first

Schneier asserts that security managers, their business colleagues and their respective corporate user communities are subject to the same drives and passions as other humans doing other things. That means they are as likely as anyone else to make critical decisions based on unacknowledged impressions, barely-formed fears and faulty reasoning, rather than on objective analysis.

“Security is a tradeoff,” Schneier told an overflow audience at his RSA 2007 session. “What are you getting for what you’re giving up? Whether you make that tradeoff consciously or not, there is one.”

He gave an example of such a trade-off by predicting that no one in the audience was wearing a bullet-proof vest. No hands were raised at this challenge, which Schneier attributed to the fact that the risk was insufficient to warrant wearing one. In addition to this rational thinking process, he averred that other, less rational factors doubtless influenced the many individual decisions not to wear a vest – such as the fact they are bulky, uncomfortable and unfashionable.

“We make these tradeoffs every day,” said Schneier, going on to add that every other animal species does, too. In the business world, understanding how the human mind works will have a tremendously powerful effect on the decision-making process. Human psychology comes into play in matters concerning salaries, vacations and benefits. There is no question, he added, that it plays a crucial role in decisions about security as well.

Decision-making and “security theater”

Schneier has put a great deal of time into his study of human (and animal) psychology and behavioral science. Everything he has learned, he told the conference attendees, leads him to believe that the decisions made about security matters – whether by security firms or the responsible departments of other kinds of companies – are often “much less rational” than the decision-makers think.

The study of decision-making has led Schneier and others to take a new angle on the continuing argument over the effectiveness of “security theater.” The term refers to those measures – most airport measures, in fact, according to Schneier – that are designed to make people think they’re safer because they see something that “looks like security in action.” Even if that security does absolutely nothing to stop terrorists, the perception becomes the reality for people unwilling to look deeper into the issue. Sadly, Schneier said, there are many people who are unwilling to look more deeply into anything, preferring the false security of ignorance.

There is a “feeling versus reality” disconnect, Schneier asserted. “You can feel secure but not be secure. You can be secure but not feel secure.” As far as airport security is concerned, it has been proven again and again that it is not particularly difficult for terrorists (or your aunt, say) to bypass airport security systems. Therefore, the only thing the system can do is catch a very dumb terrorist, or decoy – but more importantly, the “theatrical approach” makes the American air traveler think that the security regime is accomplishing more than it actually is.

The TSA is not completely without merit. It is accomplishing something, doing at least some good work, as most any large organization would. The issue is not the little bit of good, but the large amount of pretense, plus the ultimate cost in both dollars and a devalued cultural currency. The TSA are three letters nearly as reviled as IRS, which is quite an accomplishment for a seven-year-old.

What we need to learn

Schneier is focusing his studies on the brain these days. The more “primitive” portion of it, known as the amygdala, is the part that simultaneously experiences fear and produces fear reactions. The primary, overriding reaction is called the “fight-or-flight” response, and Schneier pointed out that it works “very fast, faster than consciousness. But it can be overridden by higher parts of the brain.”

Somewhat slower, but “adaptive and flexible,” is the neocortex. In mammals, this portion of the brain is correlated with consciousness and evolved a set of responses that would confront fear and make decisions to promote personal and, later, group safety. The nexus, or overlapping area, between psychology and physiology is still being “mapped” and is far from being clearly understood, but it is the frontier for behavioral studies. And promoting security is one of the most basic of behaviors in higher forms of life.

The decision-making process can be characterized as a “battle in the brain,” and the struggle between mammalian-brain reactivity and such higher functions as reason and logic leads to people exaggerating certain risks. Particularly powerful on the fear-producing side are risks, real or perceived, that are “spectacular, rare, beyond [one’s] control, talked about, international, man-made, immediate, directed against children or morally offensive,” Schneier noted.

Of course, equally dangerous from the rational perspective are risks that are unnecessarily downplayed. These risks tend to be “pedestrian, common, more under [one’s] control, not discussed, natural, long-term, evolving slowly or affecting others.” Neither set of risks should have a “default position” in any decision-making process, Schneier said.

What we must overcome

Closing out his phenomenally well-received RSA 2007 presentation, Schneier mentioned studies showing that people, generally speaking, have an “optimism bias” that makes them think they will “be luckier than the rest.” Recent experimental research on human memory of “dramatic events” suggests that “vividness” – the quality of being “most clearly remembered” – typically means that the “worst memory is most available.”

Still other human psychological tendencies can trigger entirely irrational, as opposed to simply nonrational, responses from decision-makers. One main culprit goes by the term “anchoring.” It describes a mental process by which focus is shifted to other, secondary options in such a way as to create and manipulate bias. With all the factors in play within this psychological framework, Schneier encourages security managers to understand that responses to security risk – by management, their user communities and even themselves – may be irrational, sometimes incredibly so.

Schneier and other students of human behavior vis-à-vis safety and security know that we humans “make bad security tradeoffs when our feeling and our reality are out of whack.” A quick look in the daily papers and a few minutes listening to network news, he said, will provide plenty of evidence of “vendors and politicians manipulating these biases.”

Although we will possibly never overcome the seemingly innate human inclination to conflate and confuse feelings and reality, continuing attention to progress in the fields of cognitive and experimental psychology will greatly benefit both the perception and the reality of personal and national security. With the threats abroad in the world today, the sooner security professionals can bring increased rationality to decision-making processes in government and industry, the better.

Leave a Reply