Schneier Mulls Psychology of Security

bednarz writes "Cryptography expert Bruce Schneier says security decisions often are much less rational than one would prefer. He spoke at the RSA conference about the battle that goes on in the brain when responding to security issues. Schneier explains 'The primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response, he pointed out. "It's very fast, faster than consciousness. But it can be overridden by higher parts of the brain." The neocortex, which in a mammalian brain is associated with consciousness, is slower but "adaptive and flexible,"'"

Just look to government....

[Dynedain]

Too bad the Department of Homeland Security doesn't have a neocortex.

Re:Just look to government....

[Walt+Dismal]

Another way of looking at the amygdala is to consider it a Priority Interrupt Controller. Other parts of the brain evaluate success or impending failure of certain goals, such as survival, and the amygdala chooses the strongest and most important issues and flags them for highest attention. This can be overriden by conscious rationality, but that is slower. I believe the amygdala evolved to handle fast decisions needing urgent attention or the cave bear would eat you by the time you reasoned out how to rationally respond.

Re:Just look to government....

[FooAtWFU]

Okay. I'll look to government. I'll even be bipartisan... or antibipartisan :)

We have two parties that have issues with threats to the world, after all. The Republicans have Terrorism, and the Democrats have Global Warming. Both are real and significant threats, but neither of them really gets addressed in the healthiest way possible. There's a lot of focus on OMG-deadly high-profile terrorist attacks, and on OMG-deadly consequences of global warming. Both parties have their people propose some ridiculously broad, sweeping changes to deal with the problem which would negatively impact everyday lives; fortunately, the more ridiculous ones are more likely to fail. And, of course, both parties are willing to throw money at people who claim to have some sort of solution to their problem, whether or not it's actually anything real, meaningful, or worthwhile (like the latest stupid XYZ antiterrorist technology rollout, or the latest bio-fuel legislation/subsidy).

No, they're not the same thing, but one can draw worthwhile parallels, and both parties would benefit by comparing themselves to the other, shaping their actions to avoid these excesses.

Re:Just look to government....

[mattkime]

>>Both parties have their people propose some ridiculously broad, sweeping changes to deal with the problem which would negatively impact everyday lives; fortunately, the more ridiculous ones are more likely to fail.

You can't get anywhere in politics if you allow the more radical elements to represent their party. Ignore them.

In the interest of bipartisanship you've equated the wholesale removal of civil rights with the suggestion that we shouldn't use so much oil.

Thats what I call Fair and Balanced.

Re:Just look to government....

In the interest of bipartisanship you've exaggerated the intentions of those concerned about terrorism and understated the intentions of those concerned with with global warming.

That's what I call a double straw-man.

Re:Just look to government....

3000 Americans died from terrorism in this entire young century. Meanwhile, 40,000 Americans died in auto crashes last year alone. I vote we use some of the "homeland security" money on guard rails.

Re:Just look to government....

[Lord+Ender]

There's a lot of focus on OMG-deadly high-profile terrorist attacks, and on OMG-deadly consequences of global warming.

Terrorism could cause a tiny handful of people to die. Warming could cause a mass extinction. Do you understand what I mean by mass extinction? I mean http://en.wikipedia.org/wiki/Mass_extinction.

One of these is a minor annoyance to the human species. The other is the end of life as we know it. Some have even suggested that run-away global warming caused Venus to become the hell-hole it is today. These are very different problems.

You are right that politicians, in general, care more about the appearance of solving problems than actually solving problems. But don't equate global warming with the relatively trivial issue of terrorism.

Re:Just look to government....

[djh101010]

3000 Americans died from terrorism in this entire young century. Meanwhile, 40,000 Americans died in auto crashes last year alone. I vote we use some of the "homeland security" money on guard rails.
Right, because even though we were promised followup events that "will dwarf 9/11" and they haven't happened, _obviously_ that money has all been wasted, is that it? As far as the auto crashes...I've been an EMT for a dozen years or so. I've never been to a fatal accident where the person who died was wearing a seatbelt. Not once. Spend all you want but when some idiot doesn't even take advantage of the basic safety equipment they've already been provided in their vehicle, there's no helping them.

Re:Just look to government....

No, they're not the same thing, but one can draw worthwhile parallels

One party's policies export violence and death, the other party's policies would restrict growth and drop wealth.

You're damn right they're not the same thing, it's not even in the same league.

Re:Just look to government....

[monkeydo]

Yes, just like the dinosaurs and every other living species that has lived or will live on the earth, humans will one day be extinct. I find it ironic that the same camp that refuses to see anything unique or sacred in human life is now whinnying about our eventual extinction. Come on, we're just masses of cells, masses of cells die!

Some have even suggested that run-away global warming caused Venus to become the hell-hole it is today.

How did humans get to Venus to cause all that global warming?

Re:Just look to government....

[FooAtWFU]

Terrorism could cause a tiny handful of people to die. Warming could cause a mass extinction. Do you understand what I mean by mass extinction?

I appreciate that. But consider, from the text of the article itself:

... people "exaggerate risks that are spectacular, rare, beyond their control, talked about, international, man-made, immediate, directed against children or morally offensive," Schneier noted.

Okay. Mass extinction. Rare? Ehh, depends-how-you-define-it. Children? Eh, not so much ("our children will have to deal with it", but...) Man-made? Check. (Especially for The Environmentalists). International? Check. Morally offensive? Sometimes-check (greed/profit/industry/decadence topics). Talked about? Definitely-check. Spectacular? Oooh boy, helluva check.

Even the Libertarians are accepting global warming as pretty-much-fact these days. That's one thing. But to immediately bring up mass extinction as a topic of doom (presumably, imminent doom) is, I think, perhaps, maybe just a little bit of a display of the sort of irrationality the article discusses. Just a smidge.

Re:Just look to government....

[Lord+Ender]

Humans will be extinct? That's a bold statement.

We are the only lifeforms with high intelligence. We are the only lifeforms with space travel. It would be stupidly reductionist to assume that we are just another lifeform.

Re:Just look to government....

[monkeydo]

And forever is a long time.

Re:Just look to government....

well... expertise in cryto or security doesnt mean you understand the rest of it. Its time somebody told him that giving his views as facts not a good idea, given that he has questionable expertise in that area.

Re:Just look to government....

[Joey+Vegetables]

Libertarians tend to believe in global warming, though not necessarily human-caused global warming. However, they also believe in voluntary cooperation, rather than government force, as the only morally acceptable solution to this or any other problem. Forcing people to act contrary to their own interests, even if it is for a "good cause," invariably makes problems worse and not better.

My personal take is that global warming is here, and is a GOOD thing, regardless of who caused it. It is likely to have the same effect that it did last time it happened, in the early 15th century: a massive increase in agricultural productivity, corresponding improvements in human lifespan and quality of life, and a great expansion of creativity, commerce, art, etc., just like the last Renaissance. This isn't to say there won't be problems and challenges too; obviously, coastal and/or desert regions will have to adapt, and some people - actually quite a few - may find themselves displaced. Governments will of course continue to try to stand in the way of progress, as they always do, but hopefully they will not succeed.

Re:Just look to government....

[zukakog]

We are the only lifeforms with space travel.

It would be stupidly reductionist to assume that we are the only lifeforms with space travel in the entire universe . . . or multiverse . . .

Most people cannot define "security".

[khasim]

Bruce has more at his website.
http://www.schneier.com/essay-155.html

As he says, we really should have two different words for the "feeling of security" and "security".

Re:Most people cannot define "security".

[Short+Circuit]

As he says, we really should have two different words for the "feeling of security" and "security". I thought we called that "comfort". As in, "I'm comfortable running Linux." or "I'm uncomfortable running Windows without antivirus software."

Re:Most people cannot define "security".

[Otter]

As he says, we really should have two different words for the "feeling of security" and "security".

Not a bad point, but it somewhat flies in the face of the idea that Bruce Schneier is an expert on any topic (neurophysiology, today) that remotely pertains to any definition of "security".

Re:Most people cannot define "security".

[MythoBeast]

[i]As he says, we really should have two different words for the "feeling of security" and "security".[/i]

Unfortunately, this would have about the same effect has having two words for "thinking" and "acting as if you'd thought about it." People would only apply the term for a "feeling of security" to others, and it would quickly be labeled derogatory and non-PC.

Amydala feels fear

[wumpus188]

There is always Anakin to the rescue.

Re:Amydala feels fear

[CyberLord+Seven]

Even though this subject is a dupe, this comment is FUNNY!

Brain region for thinking about security

[cold+fjord]

Most thinking about security seems to be centered in the nullcortex.

42

[ElephanTS]

Which is why "Don't Panic!" is such good advice.

Re:42

If you reverse 42, you get 24.

.... GO GET 'EM, JACK!

It makes sense

[140Mandak262Jamuna]

From the article: There is a "feeling versus reality," Schneier said. "You can feel secure but not be secure. You can be secure but not feel secure. The primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response, he pointed out. "

That is why the real amygdala hides in the background pretending to be a mere attendant like the pitutary gland and communicates with a prominantly placed fake-amygdala using elaborate signals and esp communication. All these scientists have been fooled into studying the fake-amygdala. So they underestimate the real security of the brain. Let someone assassinate the fake-amygdala in a spaceport in Coruscant and suddenly you will see the real amygdala emerge from the shadows and assume the role as the rightfully elected Queen of Naboo.

Re:It makes sense

['nother+poster]

Security through obscurity never works. ;)

Re:It makes sense

[DoofusOfDeath]

"Shut up brain or I'll poke you again with a Q-tip!!!"

(H. J. Simpson)

Re:It makes sense

[monkeydo]

IMO, Schneier has two problems. The first is that he thinks he is an expert in everything, and he thinks he is always right. Now he is an expect in human psychology. The second is that for some reason people are unwilling to stand up and say when he is full of it. Some days his blog is nothing other than Bush bashing under the guise of writing about security. That being secure and feeling secure are different is not news. That even in business people make decisions based on emotions instead of understanding is not news either.

Re:It makes sense

[Profane+MuthaFucka]

The first is that he thinks he is an expert in everything, and he thinks he is always right.

That's not a problem if he is actually right. He's a security expert, which implies at least some competence in related areas. If someone thinks they are right, it's not a fault if they are actually right.

The second is that for some reason people are unwilling to stand up and say when he is full of it.

Where is he full of it? And why are people supposedly such cowards when it comes to standing up to him?

Some days his blog is nothing other than Bush bashing under the guise of writing about security.

Fully justified. The Bush administration has done almost nothing at all to make us secure. Again, what's the problem with that? Oh, I get it. You're putting politics ahead of security. Shame on you.

That being secure and feeling secure are different is not news.

If it's not news, then there's no excuse at all for the security theater which we see all around us.

That even in business people make decisions based on emotions instead of understanding is not news either.

In that case there's no reason to pay the executives the big bucks to make emotional decisions for either business or security. Fire them. And fire their boss, the person ultimately responsible for performance, GW Bush.

Re:It makes sense

[David+Gould]

Some days his blog is nothing other than Bush bashing under the guise of writing about security. It's true that some of Schneier's posts are very critical of the Bush Administration's security efforts. But, of all the statements that get attacked as "Bush-bashing", I'd say those posts are among the best cases for which to invoke the defense that:

"No, it's just that reality has an anti-Bush 'bias'."

repeat?

[tomstdenis]

Didn't we have an article about this already? Oh wait, that was about the fact that he was going to speak at the con, now we have an article about the talk he just gave?

Good lord, I want that guys press agent!

Tom

Re:repeat?

[schwaang]

Yes, but this article actually has content.

Re:repeat?

[TheCrazyMonkey]

Yes, but this article actually has content.

oh 'cause that makes a difference on slashdot

Security - 100%

[in2mind]

Is there something like "100% Security" for anything? I doubt it.

Re:Security - 100%

[John+Frink]

Like the rest of us learned in sex-ed, abstinence is the only way to have 100% security.

Re:Security - 100%

[sehlat]

The answer is yes.

In the grave.

Re:Security - 100%

You doubt it? You dont know G.W.Bush? You can be 100% secure that he is really stupid.

Re:Security - 100%

[belligerent0001]

If your goal is to keep something out someone elses hands you can make it 100% secure by destroying it (kinda like MAD) before or as they get it. Maybe not the best method but it is 100%, presupposing they can't reconstruct it from the remains.

It must be said...

[Doctor+Memory]

primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response This should actually be fight-or-flight response. Fear is the stimulus, the amygdala merely chooses (or rather, "strongly suggests", as the article points out) the reaction to it.

Re:It must be said...

[powerpants]

In terms of Hamming distance, it's actually closer to "fear-of-flight," aka aviophobia. Think about it.

Irritating.

[Elentari]

It never fails to annoy me when people take snippets of theoretical psychology and redistribute them as truth. Scientists' views of which parts of the brain are responsible for which characteristics of human life change on almost a daily basis, yet phrases such as "language centre" or "mammalian brain" are constantly being used in a way that presents them as definite fact.

It seems unnecessary to incorporate impressive-sounding terms into a speech that, quite honestly, seems to be stating the obvious. Increasing or decreasing security is a response to fear; fear is an emotion and, therefore, decisions that use it as a base will not be purely rational, but will have emotional bias, like every other human decision. You don't need vague descriptions of brain "impulses", and such, to prove that.

Re:Irritating.

[Lemmy+Caution]

I agree completely: the problem is that the alternatives are usually worse. While the popular abuse of materialist explanations is often fraught with cliches and crude caricatures from evolutionary psychology or cognitive neuroscience, the alternative winds up being an appeal to older folk-methods of explanation, such as substance-dualistic or even religious ones (whether explicit or covert - it is startling how much of the metaphysics, epistemology and ethics of Western-educated people who think themselves secular are still essentially Christian - this includes especially so-called liberal humanism!)

Re:Irritating.

[ashtophoenix]

Precisely. People take terms like "Consciousness", which mean totally different things for different kinds of people and for most people it doesn't even hold a meaning (since most haven't pondered about it). To talk about anything even faintly human, or even animal, in terms of consciousness, one needs to include the physical, vital, emotional, mental and the spirit (which many people may call an inner-daemon, guide or just feeling). At least the author needs to provide a definition of what he means by consciousness.

Re:Irritating.

[DerekLyons]

It never fails to annoy me when people take snippets of theoretical psychology and redistribute them as truth.

Bruce Schneier has been doing this ever since 9/11 - parlaying his reputation (well earned) in cryptography into a career as a security pundit (without any actual credentials).

Re:Irritating.

[monkeydo]

He's been doing what you say since before 9/11. He wrote in the introduction to "Secrets and Lies" that he had an "epiphany" one day that security isn't about cryptography (like it was when he was just a cryptographer), but that it was about managing risk. Oh, and by the way he had just founded the company that you should hire to manage your risk for you. So, Bruce Schinier was transformed from a cryptography to a "security expert" (read, risk manager). He's not a bad writer, and he seems to be able to convey a message to many people, but I've never found his observations to be particularly insightful. He tries too hard to break new ground, and he winds up coming up with this amygdyla stuff.

Re:Irritating.

[vicaya]

It irritates me to no end, when somebody just brand something they don't understand with "theory" or "theoretical". Just like the ID folks who like to call evolution a "theory". This time, it's neither "theoretical" nor psychology. It has much to do with "experimental", biophysics, biochemistry, physiology, neurology and neuroscience in general. May I recommend that you read "Principles of Neural Science" by Kandel et. al, which is often assigned as a textbook for many undergraduate and graduate neuroscience and neurobiology courses. The book attempts to at least introduce every aspect of the modern understanding of the biology of the brain.

Re:Irritating.

[DerekLyons]

He's been doing what you say since before 9/11. He wrote in the introduction to "Secrets and Lies" that he had an "epiphany" one day that security isn't about cryptography (like it was when he was just a cryptographer), but that it was about managing risk.

Then he's extraordinarily ignorant of his own field - I first encountered the idea that security wasn't just about cryptography in the mid 70's while reading Kahn's The Codebreakers (itself written in 1967). The more general idea that security is about risk (vulnerability) reduction is equally widely known - I've read it in [commercial] security manuals from the 60's. Reading the Amazon reviews of Secrets and Lies merely confirms that he is peddling and new and amazing concepts already widely known among actual security professionals - so widely known they made their way into the nonprofessional works on the field as well. (He gets glowing reviews on Amazon from computer geeks mostly because computers geeks are so painfully stupid about things other than computers - as well as insufferably arrogant that, because they are computer geeks, they know more than anyone else about anything.)
 
 

Oh, and by the way he had just founded the company that you should hire to manage your risk for you. So, Bruce Schinier was transformed from a cryptography to a "security expert" (read, risk manager).

 
The first step towards respectability for any snake oil salesman is to write a book - why do you think so many late night infomercial gurus are flogging theirs?
 
 

He's not a bad writer, and he seems to be able to convey a message to many people, but I've never found his observations to be particularly insightful. He tries too hard to break new ground, and he winds up coming up with this amygdyla stuff.

 
He's a pretty good writer - his problem is that he is an awful thinker. He gets a lot of attention because his arguements resonate with a certain moonbat portion of the American political spectrum - which gives him influence well beyond his ability. What he doesn't get is a lot of criticism. So far as breaking new ground grows - that little surprises me. He's a pundit - and pundits get paid by generating column inches and buzz, not by being right.

A point easily proven

[TinBromide]

People care more about problems that they can't control than ones they can prevent.

For example: Airplanes. How many people feel more secure behind the wheel of a car than on a long flight with turbulence?

Put your hands down, now the sheer probability of getting into a car accident in one's lifetime (if one drives) is a miniscule number below one. Death statistics are somewhere around 1 in 237 of a car type accident. The odds of an airplane death are like 1 in 5051 source

However, people are freakishly nervous about planes... So, by induction (the bane of an engineer's existance) we can extrapolate (another fancy bane) that security people will ignore the dangerous mundane and fixate on the extraordinary rarity.

Re:A point easily proven

[CyberLord+Seven]

Hmmmm, I dunno. Seat belts, air-bags, Anti-lock brakes, roll-bars on convertibles. I think people care a lot about things they can control. IF...they can control them.

Ralph Nader to the RESCUE!

Re:A point easily proven

[Chosen+Reject]

Having been on a flight just over the weekend that had some wicked turbulence all I can say was it was awesome. My wife didn't like it a whole lot, but I thought it was better than Six Flags. I swear there were times the whole plane must have just dropped 20 feet or so. It was so exciting I almost got back in line after we arrived.

Re:A point easily proven

[ashtophoenix]

That doesn't say anything to me. The fact is that if you get into a car crash, there are chances that you may survive. In an airplane, thats it! End of Story! No second chances! Maybe that is the cause of the fear, don't you think? And a legitimate one at that. Given a choice would you rather be in a car crash or a plane crash, the consequnces of both aren't disclosed to you yet?

Re:A point easily proven

[fmoliveira]

Lets say that the average person in this statistics travel twice a day with their cars, and twice a year they take a plane. And this ratio is just 237/5051.

If your numbers are correct, cars are much safer than planes. This statistic manipulation to tell planes are safe is just an old lie.

Re:A point easily proven

[etully]

Hmmm... that's an interesting point. So what are the real numbers?

Let's say:

Airborn Hours = total # hours that all humans spend in the air in a year
Driving Hours = total # hours that all humans spend in a car (either passenger or driver) in a year

So I want to know how (Automobile Deaths / Driving Hours) compares to (Airplane Deaths / Airborn Hours).

Re:A point easily proven

[bill_mcgonigle]

Having been on a flight just over the weekend that had some wicked turbulence all I can say was it was awesome. My wife didn't like it a whole lot, but I thought it was better than Six Flags. I swear there were times the whole plane must have just dropped 20 feet or so. It was so exciting I almost got back in line after we arrived.

Did you fly through a thunderstorm? That's the best. There are even flashy lights going off all around you.

The major downside is the smell of vomit that permeates the cabin. Gas-masks required.

Re:A point easily proven

[Lord+Ender]

the sheer probability of getting into a car accident in one's lifetime

Hey Mr. Statistics: Care to use some meaningful numbers? What are the chances of dying PER HOUR of being on a plane compared to the chances PER HOUR of being in a car?

I haven't looked it up, but I assume a two-hour flight is more likely to kill you than a two-hour road trip. That's a pretty good justification to fear the flight more than the drive.

Not to take away from your argument, but I HATE bullshit statistics.

Re:A point easily proven

[TinBromide]

not to poke holes in your argument, but in an hour and a half flight will get me roughly 440 miles (distance from tallahasse to ft. lauderdale). If i were to drive that distance, it would take me 7 hours (give or take traffic and pee breaks). So, in a 2 hour flight, you may cover 500 miles (or more), but in a 2 hour drive, you may only cover 100-160 miles. So you have to consider deaths per mile as well as deaths per hour. So, even if the deaths per hour is equivalent, if you were to take that 2 hour drive, turn it into a commuter flight, it would be 1/4th the time or so. Same end product, reduced risk.

Re:A point easily proven

[Vegeta99]

Ah, statistics:

Motor Vehicle: 1.3 deaths per million miles driven (by all vehicles, that is, if a million cars drove 1 mile, 1.3 drivers would die)

Air Carriers: 1.9 deaths per million miles flown by all aircraft.

Now wait a second! Whatshisface grandparent said planes were SAFER!

Well, OK. There are less planes than cars, but more people, so:

Yearly, 1 out of every 7,700 people die in a car wreck.
Yearly, 1 out of every 2,067,000 people die in an airplane wreck, but by that measure, motorcycles are safer than cars.

Stats let anyone say whatever they want to say

Re:A point easily proven

[Cthefuture]

Ugh, I have to point this out every time someone makes this assertion.

The fact of the matter is every Tom, Dick and Jane moron drives. If the vehicle accidents only showed people with actual driving skill then you could compare to flying in a plane but throwing in the general population against trained maintenance staff and pilots is rediculous. Now I know there are times when even the best driver may not be able to avoid a bad situation but the statistics don't make any distinction between driving skill and death rate.

Maybe compare truck driving deaths per mile travelled versus plane deaths per mile or something. Even that might not be accurate but would probably be at least a little more close to accurate.

Re:A point easily proven

You should use passenger miles to make your point stick.
In USA each car carry 50 passengers.
(These were not official figures just something that came from my hat)

Re:A point easily proven

[Lord+Ender]

This started as criticizing people for feeling anxious on flights. The point I demonstrated and you failed to refute is that a person is closer to death on an airplane than in a car, so if anxiety is at all reasonable, it is more reasonable to be anxious while on a plane than in a car.

The safest way to travel a given number of miles (what you seem to be talking about) was never an issue.

Re:A point easily proven

[Kirth+Gersen]

To TinBromide re comparing car and plane deaths:

You forget that you are much more likely to die *per hour* in a plane than a car.

Average people travel by plane perhaps ten hours per year; by car perhaps 700 hours per year. (My numbers, made up on the spot.)

So the lifetime death should be 70 times lower, if the death rate per hour were the same. But it isn't: it's about 20 times lower (via your numbers). So while you're in a plane, you're three or four times more likely to die than while you're in a car.

Also, of course, if you're in a car you seldom have more than a couple of seconds warning to worry before an accident, but in a plane you may be subjected to hours of agonizing fear prior to the impact.

Still feel safe?

Difficulty Factor

[Bryansix]

I think that the true dichotomy of the situation that plays out in people's minds is 1) Spend the time and effort to secure this system the right way and stress out all the time 2) Be lazy and just do what will get us by and at least buy us some security even if it's security through obscurity.

instant vs. considered responses

[smellsofbikes]

Malcolm Gladwell's book "Blink" talks a lot about the differences between first impression and actual, thoughtful reaction to a situation, including some interesting studies on what happens when the two conflict and how measurement of the effects of those conflicts on reaction time can tell us a lot about how the brain is processing material. There's controversy around some of his conclusions but I strongly recommend the book and everything else Gladwell has written.

Re:instant vs. considered responses

[99BottlesOfBeerInMyF]

I strongly recommend the book and everything else Gladwell has written.

Blink has been on the verge of being added to my reading list for a long while. I've read some other stuff by Gladwell and frankly, while I found it sort of entertaining, I also thought his "logic" was spotty at best. Maybe he understands how to draw logical, supported conclusions, but he sure doesn't present it well and some of his assertions seem to be sheer nonsense. My main motivation for reading it would be to understand his arguments, so I can reasonably discuss them when next some twit at a party starts parroting them.

Re:instant vs. considered responses

[smellsofbikes]

I learned a lot from both it and "the tipping point" -- the width of his coverage is amazing. The material is *very* attractive to business- and new-age-types who will leave with nothing more than the conclusions, but I think it's the background and support material that's more interesting: the primary sources. Check it out from a local library and give it a shot. I don't think you'll find the time wasted, even if you completely disagree. There's a rebuttal book out there called "Think" that might also be worth your time, although I haven't read it yet.

Re:instant vs. considered responses

[99BottlesOfBeerInMyF]

I learned a lot from both it and "the tipping point" -- the width of his coverage is amazing.

So I read "the tipping point" and found it interesting, but upon looking a little harder I realized the research was very backwards. It looks like he started with a few premises, then looked specifically for data to support that, resulting in a wholly improper application of statistics. Gladwell even admits in later interviews that he no longer believes some of the concepts he espoused after seeing others evaluate the available data more scientifically. Quite simply, I don't trust either his methodology in coming to beliefs he espouses, or the data he cites to support it, since that data seems to have been chosen simply because it does suggest a possible (but unproven) connection. It is fine to speculate on subjects as he does, but he tries to make it seem pseudo-scientific, as though he were applying the trusted scientific method and understanding the world as a result, when that seems not to be the case at all.

I don't think you'll find the time wasted, even if you completely disagree.

Considering some of the crap fiction I "waste" my time on, so long as it is moderately entertaining I'm not too worried. I am a little concerned, however, that his illogical arguments by authority will mislead people and result in making poor decisions.

Re:instant vs. considered responses

[smellsofbikes]

What you're talking about is a very deep problem. Everyone is biased. Gladwell absolutely cherry-picks his evidence to support his thesis. The problem is: most people don't realize that, and don't go looking into the greater picture. Obviously you do. It's really frustrating to talk to people who don't. Gladwell's stuff is ripe for cherry-picking in its own right -- quoting the most convenient parts to support what a person believes, and even more misleading when the source for the convenient parts is itself the result of editing and selective choices.

I don't really see much difference between New-Age-types on the left, Young-Earth-types on the right, or business- and pop-psychology-types off in their respective corners. They're all believing based on a very selective choice of evidence, from which their beliefs are justified. I really like Gladwell -- I've corresponded with him -- but he's doing something similar (although he's doing it as exposition rather than religiously.)

Ironically, perhaps, one of the things he talks about in Blink is the problem you have when your initial, intuitive response collides with your intellectual reasoned response, because (there's evidence that) in order to process something we have to believe it at least somewhat, first. So, in the same way, when we read Blink, we have to believe he's right, and then think afterwards about what is sustainable.

Schneier says no, but that's not his aim

[schwaang]

In his essay he tells a little joke about aiming for 100% security:

I remember in the weeks after 9/11, a reporter asked me: "How can we prevent this from ever happening again?" "That's easy," I said, "simply ground all the aircraft."

100% security has never been his aim. His aim, AFAICT, is to distinguish real security from BS, so we can evaluate the costs and tradeoffs and then make smart choices.

More on this philosophy:

The truth is that we're not hopelessly bad at making security trade-offs.[...]There are several specific aspects of the security trade-off that can go wrong. For example:

      1. The severity of the risk.
      2. The probability of the risk.
      3. The magnitude of the costs.
      4. How effective the countermeasure is at mitigating the risk.
      5. How well disparate risks and costs can be compared.

The more your perception diverges with reality in any of these five aspects, the more your perceived trade-off won't match the actual trade-off.

Re:Schneier says no, but that's not his aim

[nine-times]

Well, in essence, security is not about being "100% secure". 100% never happens, and can't even happen theoretically. The 100% only way to prevent unauthorized access to a computer is to prevent any kind of access whatsoever. The only way to prevent anyone from ever accessing a particular piece of data is to never create that data anyway, or else destroy it immediately. Even then, you face a possible breakdown: what about the mechanism for preventing that data from being created, or for destroying it? If that mechanism breaks down, the data is out.

So, ok, what is security about, then? It's about making unauthorized activities difficult enough to discourage people from even trying. It's about making sure that breaking in takes longer than anyone would want to spend to break in. It's about increasing your odds of detecting someone doing something they shouldn't. In short, it's about making unauthorized activities difficult, unappealing, and visible, but it is *not* about making them impossible.

Re:Schneier says no, but that's not his aim

[fermion]

#4 and 5 is where many people miss the boat, and really shows whether they are more interesting in showing security rather than creating security. For instance, some of the new immigration laws at the state level are frankly discussed as unenforceable. They are nearly 100% ineffective as a physical deterrent, and are only mildly effective as a physiological deterrent. This is not so bad in itself, but such laws create additional real and psychological risks, which may significantly outweigh any possible benefits. For example, laws that cannot or are not enforced reduce the confidence in the integrity of the overall legal framework and open up the law to selective enforcement, which reduces the sense of impartiality and can be a vector of corruption.

1938 wants its "cortical-thalamic pause" back...

Its just a part of "General Semantics" http://en.wikipedia.org/wiki/General_Semantics/. Given a good boost by noted science-fiction writer A.E. Van Vogt who was later hounded by Scientology http://en.wikipedia.org/wiki/A._E._van_Vogt/

rich techie blowhards

[wsanders]

People like to go on and on about "feh the authoritees are stoopid", like all the ass-talking over the incident in Boston last week.

But the real world doesn't work that way, unless you live in Mensa-Fascist-Fantasy-World and fantasize the state killing those that don't behave with Klingon-like rationality. Basically, you have to take the stupid, irrational people into account. (Damn Customers!)

Many public (law enforcement) agencies have a motto: "Could You Explain It On 60 Minutes?" That pretty much sums it up. For example if I hear one more rich techie blowhard bitching about how they are inconvenienced by airport security I'll scream. But they are not in charge of hiring thousands of people for the oh so wonderful jobs involved in groveling through people's luggage and car trunks. And were we to implement a putative purely rational system, what would Mr Techie say to 60 Minutes in the even that someone got through?

Re:rich techie blowhards

[Rob+the+Bold]

But the real world doesn't work that way, unless you live in Mensa-Fascist-Fantasy-World and fantasize the state killing those that don't behave with Klingon-like rationality.

Damn those Klingons and their rationality! It's always "Logic dictates this" and "Humans are irrational and impulsive" with them. Smug jerks.

Re:rich techie blowhards

[grammar+fascist]

Damn those Klingons and their rationality! It's always "Logic dictates this" and "Humans are irrational and impulsive" with them. Smug jerks.

I thought Klingons paraded about quoting Shakespeare. Huh.

Re:rich techie blowhards

It's interesting that you use "Can you explain it on 60 Minutes??" as
a rationalization for TSA etc.

It's as though good security policy is that which is isomorphic
to what your average moron (IQ=100) can understand by half-listening
to a popular TV show.

Re:rich techie blowhards

[oatworm]

You're thinking of Vulcans, you insensitive and probably sarcastic clod!

Karl Rove knows

[Conanymous+Award]

A feeling of security is created by
-locking turrrrrsts (or people who just might be ones) into secret prisons and off-shore camps for an indefinite time
-wiretapping you
-taking away your basic civil rights
-manipulating the media
-bombing country X
-creating a color indicator for turrrrrr threat levels (to make you feel extra secure, they can flash orange every now and then)
-ridiculous airport safety checks ("those paper scissors are a big no-no, but the knife we give you onboard is completely safe!")
-reminding you how unsafe you'd be without all of this.

Burn karma, burn...

Consciousness?

[ashtophoenix]

This may be a little off the point of TFA but I am not sure what the author means when he refers to the part of the brain that is related to "Consciousness". Neither am I clear on what the author means by the term "consciousness" here. Is consciousness, per the author, limited to the brain? What about the emotional, vital parts of a human being and what about that "inner voice" or daemon or feeling many people talk about? Are those not parts of consciousness? Coz then I would like to make them a part of the equation on which people base their fears, also.

Re:Consciousness?

[99BottlesOfBeerInMyF]

I am not sure what the author means when he refers to the part of the brain that is related to "Consciousness". Neither am I clear on what the author means by the term "consciousness" here. Is consciousness, per the author, limited to the brain?

The model of human consciousness, to which the author refers is one that normally maps us to three layers, each of which corresponds to an evolutionary stage. The first layer is pain/pleasure and even very small organisms with no real brains, can respond to this sort of stimuli. The model moves on to the second layer, emotion, as a higher level of preprogrammed instinct, possessed by reptiles and other animals with brains. Basically, this is your brain reacting to a stimuli, with a simple predefined emotion. The third level, is rational thought, where we think about what we are experiencing and make decisions based upon that higher thought. This level of the brain is possessed by mammals and some other "higher" animals in differing degrees.

Here's an example situation. You're standing right in front of a bunch or rose bushes and a big, growling dog runs up to you. You take a step back and are pricked by a thorn. Your initial response to the pain is move away from the thorn to relieve the pain. Overriding that level of though is the emotion of fear, triggered by your perception of the dog as a threat. This fear is a preprogrammed response to run away from danger and hide. As a result, you push back into the rosebush ignoring the pain. A split second later your reason kicks in and you reason that if you don't show fear by cowering away, the dog is unlikely to attack, so you move back forward and hold your ground, while looking around for help, or a big rock.

"Consciousness," in humans, according to this model, is the combination of these three layers, although he seems to be ignoring the first layer. It is also important to note that this model does not mean a given layer always overrides the others and that they all act in conjunction. You might find the body language of a given person invokes the emotion of fear, which makes you angry, which leads you to react in a nonconstructive way to that person, leading you to try to get them fired. Rationally, there may be no reason for you to fear them, but that does not necessarily govern your actions. In my experience the motivation for actions is often on the emotional level, while the justification of those actions, is the rational level. People might be emotionally conditioned to dislike socialism (for example) and thus logically find reasons to justify that belief.

The model is most likely an oversimplification, but it can be useful in understanding how people think, in certain ways.

What about the emotional, vital parts of a human being...

This would be part of the second, emotional/instinctive layer.

...and what about that "inner voice" or daemon or feeling many people talk about?

This would be part of the higher, rational layer. In some variations of the model the subconscious is an independent layer from the rational layer, while in other cases it is subset of the rational and emotional layers.

Oblig. joke

[Captain+Splendid]

Too bad the Department of Homeland Security doesn't have a neocortex.

That's alright, they have a neoconcortex instead!

Sorry, couldn't help myself. You may now mod this post into oblivion...

No doubt I will be flamed for this

[Rumagent]

But, I wonder how much attention we would pay to a psychologist speaking on computer science. Is the only qualification to speak on anything non-technical, the ability to pick up a first year text book and leaf through it?

As much as I respect Schenier, I would no sooner trust his assertions on psychology, than I would trust those of Dr. Phil. If he had co-written a couple of articles with someone relevant and had them published in a proper journal things would be different. But after reading the (otherwise impressive) list of his publications it is clear that this is not the case.

So flame me, but Schenier has little authority when he speaks of psychology.

Re:No doubt I will be flamed for this

Its different as I tell all of my Psychologists: Psychology isn't a real science. Plus, the whole point of this is the point that he's trying to raise. Namely, that perceived security is not the same as real security and we as a society should keep that in mind when trying to decide what to spend security money on. That's a valid fact, that no head shrinker can deny. It basically means that we are bad at estimating probabilities when emotion is thrown into the mix.

Re:No doubt I will be flamed for this

[schwaang]

So flame me, but Schenier has little authority when he speaks of psychology.

If you read the essay you'll see that he isn't inventing his own psychological theories. He's doing a survey of several fields that have produced results relevant to security, and showing how those results affect decision-making and perception around security.

He may make mistakes in applying theories from other fields, but it's only by publishing his applications that the academic conversation can occur. Cross-disciplinary stuff is like that.

For your enjoyment, here's the list of references from his essay, many from outside the field of security. #10 sounds especially authoritative ;)

1 Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Springer-Verlag, 2003.

2 Robert B. Cialdini, Influence: The Psychology of Persuasion, HarperCollins, 1998.

3 Malcolm Gladwell, Blink: The Power of Willful Thinking, Little, Brown & Co, 2005.

4 Daniel Gilbert, Stumbling on Happiness, Alfred A. Knopf, 2006.

5 Barry Schwartz, The Paradox of Choice, HarperCollins, 2004.

6 Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Springer-Verlag, 2003.

7 David Ropeik and George Gray, Risk: A Practical Guide for Deciding What's Really Safe and What's Really Dangerous in the World Around You, Houghton Mifflin, 2002.

8 Barry Glassner, The Culture of Fear: Why Americans are Afraid of the Wrong Things, Basic Books, 1999.

9 Paul Slovic, The Perception of Risk, Earthscan Publications Ltd, 2000.

10 Daniel Gilbert, "If only gay sex caused global warming," Los Angeles Times, 2 Jul 2006.

11 Jeffrey Kluger, "Why we Worry About the Things we Shouldn't...And Ignore the Things we Should," Time, 26 Nov 2006.

12 Steven Johnson, Mind Wide Open: Your Brain and the Neuroscience of Everyday Life, Scribner, 2004.

13 Daniel Gilbert, "If only gay sex caused global warming," Los Angeles Times, July 2, 2006.

14 Donald A. Norman, "Being Analog," http://www.jnd.org/dn.mss/being_analog.html. Originally published as Chapter 7 of The Invisible Computer, MIT Press, 1998.

15 Gerg Gigerenzer, Peter M. Todd, et al, Simple Heuristics that Make us Smart, Oxford University Press, 1999.

16 Daniel Kahnerman and Amos Tversky, "Prospect Theory: An Analysis of Decision Under Risk," Econometrica, 1979, 47:263-291.

17 Amos Tversky and Daniel Kahnerman, "The Framing of Decisions and the Psychology of Choice," Science, 1981, 211: 453-458.

18 John Adams, "Cars, Cholera, and Cows: The Management of Risk and Uncertainty," CATO Policy Analysis #335, March 4, 1999.

19 Daniel J. Kahneman, Jack L. Knetsch, and R.H. Thaler, "Experimental Tests of the Endowment Effect and the Coase Theorem," Journal of Political Economy, 1990, 98: 1325-1348.

20 Jack L. Knetsch, "Preferences and Nonrevsrsibility of Indifference Curves," Journal of Economic Behavior and Organization, 1992, 17: 131-139.

21 David L. Rosenhan and Samuel Messick, "Affect and Expectation," Journal of Personality and Social Psychology, 1966, 3: 38-44.

22 Neil D. Weinstein, "Unrealistic Optimism about Future Life Events," Journal of Personality and Social Psychology, 1980, 39: 806-820.

23 P. Winkielman, R.B. Zajonc, and N. Schwarz, "Subliminal affective priming attributional interventions," Cognition and Emotion, 1977, 11:4, 433-465.

24 Daniel Gilbert, "If only gay sex caused global warming," Los Angeles Times, July 2, 2006.

25 Paul Slovic, The Perception of Risk, Earthscan Publications Ltd, 2000.

26 Amos Tversky and Daniel Kahnerman, "Judgment under Uncertainty: Heuristics and Biases," Science, 1974, 185:1124-1130.

27 Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Springer-Verlag, 2003.

28 Barry Glassner, The Culture of

mammalian brain theorists

[lionel77]

It never fails to annoy me when people take snippets of theoretical psychology and redistribute them as truth. Scientists' views of which parts of the brain are responsible for which characteristics of human life change on almost a daily basis, yet phrases such as "language centre" or "mammalian brain" are constantly being used in a way that presents them as definite fact.

Tell me about it, those mammalian brain theory advocates are getting on my nerve lately, too. I mean, the existence of so called mammals has not even been sufficiently established and here are these people talking about some kind of futuristic computational super weapon that these things are supposed to possess. What ever happened to scientific integrity?

On a more serious note, though, I fully agree with your basic point that there is not much worse than people taking concepts from a discipline they know almost nothing about (in this case cognitive neuroscience) and then throwing them around as buzz words and making theoretical claims that make you cringe if you have some basic understanding of the material.

Too complicated

[Billosaur]

His view is far too complicated. The essence of security is: people think they are secure. They happily type their data into web sites without considering where it goes because in most cases, they have no clue what systems are in operation. Past the words "computer", "database", and "Internet (or Web)" the average person has no concept of how any of it works. Someone, their bank say, sends them a link to a website -- the first problem is, they really have no way to verify it is from their bank, other than going to their local branch and asking, which seems to be beyond anyone's capability. Now, once they've accepted that the link is "legitimate", whether it is or not, they plow ahead and begin banging on the keyboard and typing in their info. Screens come and go, they are admonished occasionally when they don't enter something right, and finally some message pops up thanking them and that's that. Whether the whole transaction was legitimate or not never enters into it.

"Security" is a misnomer -- you are no more secure against possible data theft or manipulation on the Internet than you are physically safe crossing the street in a crosswalk. The only security you can have is in being vigilant in what you do and following up everything you do to make sure it is legitimate. Past that, you're on you own.

Security and panic disorder

As someone who suffers with panic disorder and who is also a network security person by trade (CISSP consultant, unfortunately) I can attest to the irrationality of the "lower" brain. Persons with my condition frequently find it unbearable to do something as simple as stand in line or get in an elevator as even the smallest perceived loss of freedom is enough to send the heart rate soaring. On a particularly bad day I had to excuse myself from a post office line for 15 minutes to pretend to be filling out an address on an envelope as the impending "Next!" and being faced with some "official" was making my hands shake. For the rest of you there is no more mundane experience than mailing a parcel!

All that said, I think Schneider's comments about the amygdala are a bit misplaced. The horrendous waste of security resources in this country -- the 3oz limitation on liquids for example -- do not originate from a panicky, palm sweating reaction but rather a much more calculated, if reactive, decision to make the average person feel like something is being done. If you want to talk about the amygdala and security, talk about one's reaction to a stranger approaching you in the park at night with a "hey buddy, come here a second." Corporate and government security policies are hashed out in nauseatingly arduous sessions with many "expert" consultants who throw out their usual spiel to justify their oversized fee.

Bruce would do better to argue that we need to account for our tendency to implement security schemes which favor the perception of effectiveness rather than true scenario effectiveness. Then again, he is a cryptographer, we can't expect him to be an expert on all things security. Injecting bits of psychology is tempting but runs the risk of being disingenuous. He loses a little credence in my view.

Deaths per Mile

[bill_mcgonigle]

That doesn't say anything to me. The fact is that if you get into a car crash, there are chances that you may survive. In an airplane, thats it! End of Story! No second chances! Maybe that is the cause of the fear, don't you think? And a legitimate one at that. Given a choice would you rather be in a car crash or a plane crash, the consequnces of both aren't disclosed to you yet?

The important measure isn't odds of death in a crash, it's odds of death per mile traveled.

If you drive from Boston to San Diego you're more likely to die than if you fly from Boston to San Diego. But coming back around to your point this measure even masks non-fatal injuries. Since most car wrecks don't result in death, it therefore figures that driving from Boston to San Diego you're much more likely to be injured or maimed than if you fly, by a factor of (car crashes / fatal car crashes).

Stupid new moderation thingy

[Soulfader]

I couldn't find the -1 Oblivion mod. A little help here?

Re:Stupid new moderation thingy

[CelticWhisper]

-1 Morrowind will work just as well.

Obvious action item here

[Hortensia+Patel]

The primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response

Hire River Tam as your chief security officer.

Why I hate metaphors

[IthnkImParanoid]

Abstinence doesn't prevent unauthorized physical access. Besides, penetration testing is a vital part of security.

Now I need to go take a shower.

Got that right

[Master+of+Transhuman]

"The primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response, he pointed out. "It's very fast, faster than consciousness. But it can be overridden by higher parts of the brain."

But rarely is, in ninety-eight percent of the known cases, i.e., humans.

"The neocortex, which in a mammalian brain is associated with consciousness, is slower but "adaptive and flexible,"

Again, rarely - about two percent of the known cases at best.

Chimpanzees simply don't do well with the fear of death. You can blame evolution, but facts are facts.

Re:Got that right

[TheLink]

Unlike bankruptcy, death is regarded by "primitive gut-feel" as being a bit more permanent.

Primitive perhaps, but it has worked well enough for a very long time. I'd say any of that "new fangled" stuff needs maybe millions more years (or more) to prove that it's actually better.

Overridden by higher parts of the brain

[brownaroo]

As a programmer I find (in regards to security) that fear is often overridden by laziness

You're overreacting

[arevos]

One of these is a minor annoyance to the human species. The other is the end of life as we know it. Says who? The Earth's biosphere has undergone climate changes many times more rapid and many times more devastating than it is currently undergoing. Increased CO2 emissions are unlikely to be doing it any good, but nor is it the end of the world by any stretch of the imagination. How can you react so rationally to the threat of terrorism, and yet so irrationally to the threat of global warming?

That said, the side effects of global warming will likely result in a far higher death toll than terrorism. But at the same time, global warming is unlikely to cause as many human deaths as car accidents, HIV, cigarettes, swimming pools and all the other things that people commonly die from. Global warming is obviously an issue, but it's not going to cause climate change on the scale of Venus, because if the Earth's climate were that fragile, we wouldn't be here today.

Bruce Schneier Facts

How well do you know your Bruce Schneier Facts?

LOL, you're exactly the kind of person...

...the article is talking about!

OMG! We're gonna die!! Think of the children!!!! Baaaaaaaaaaaaaaaaaa!!!!!!!! Nacho grande!!!!!!!!!!!!!!!!

Call the exorcist!

Okay, if you've got daemons in your head, then either:

    1) Your brain runs on *nix, or
    2) You need an exorcist