Bruce Schneier Talks Brain Heuristics and Security

ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."

You mean, Bullshit in Bullshit out.

[twitter]

Some of these five are easier to address but some reflect deeper realities about being human.

And all but one of them have the same solution, Education.

1. Incentives. This is the odd man out because punishing the victim does nothing for anyone. Disconnecting an identifiable problem on a public network, should not be thought of as punishment but can serve as an incentive to fix the problem.
2. Rarity. Bullshit. One in four computers is part of the botnet.
3. Hubris. Bullshit. This attitude was created by commercial software vendors who have also made it impossible to secure computers by closing their code off.
4. Boredom. Bullshit. The user should have a trusted repository of community verified software, like the Debian community provides. Being bored should not kill your computer.
5. Sociality. Bullshit. People are nice and should be. Mouse links should not kill your computer. Proper training in the workplace makes employees not only more helpful but less likely to help out your mythical intrusion expert. See Bullshit #2 for why intrusion is stupid - why break in when you can remotely own the company's desktop.

With proper education people will get rid of their insecure operating systems and the net will be a safer place for all of us. As the millions of happy Mac, Linux, BSD and other OS users can attest, It's not the user's fault. They have to be given the correct tools, correctly configured in an easy to use way instead of the booby traps that M$, Dell, HP and others sell.

"If you can understand you are just reacting from fear, you have a better shot atunderstanding these human biases. Hopefully you can short-circuit them and improve on them and make it so we are not slaves to this," he says. "Fear is brain chemistry, but so is reason. We have to figure out how reason can trump fear."

People react to what you tell them. As long as commercial vendors continue to bullshit people, bullshit will come out.