Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier Mulls Psychology of Security

Posted by ScuttleMonkey on from the idle-musings dept.

bednarz writes "Cryptography expert Bruce Schneier says security decisions often are much less rational than one would prefer. He spoke at the RSA conference about the battle that goes on in the brain when responding to security issues. Schneier explains 'The primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response, he pointed out. "It's very fast, faster than consciousness. But it can be overridden by higher parts of the brain." The neocortex, which in a mammalian brain is associated with consciousness, is slower but "adaptive and flexible,"'"

29 of 101 comments (clear)

  1. Just look to government.... by Dynedain · · Score: 5, Funny

    Too bad the Department of Homeland Security doesn't have a neocortex.

    --
    I'm out of my mind right now, but feel free to leave a message.....
    1. Re:Just look to government.... by Walt+Dismal · · Score: 3, Informative

      Another way of looking at the amygdala is to consider it a Priority Interrupt Controller. Other parts of the brain evaluate success or impending failure of certain goals, such as survival, and the amygdala chooses the strongest and most important issues and flags them for highest attention. This can be overriden by conscious rationality, but that is slower. I believe the amygdala evolved to handle fast decisions needing urgent attention or the cave bear would eat you by the time you reasoned out how to rationally respond.

    2. Re:Just look to government.... by FooAtWFU · · Score: 4, Insightful
      Okay. I'll look to government. I'll even be bipartisan... or antibipartisan :)

      We have two parties that have issues with threats to the world, after all. The Republicans have Terrorism, and the Democrats have Global Warming. Both are real and significant threats, but neither of them really gets addressed in the healthiest way possible. There's a lot of focus on OMG-deadly high-profile terrorist attacks, and on OMG-deadly consequences of global warming. Both parties have their people propose some ridiculously broad, sweeping changes to deal with the problem which would negatively impact everyday lives; fortunately, the more ridiculous ones are more likely to fail. And, of course, both parties are willing to throw money at people who claim to have some sort of solution to their problem, whether or not it's actually anything real, meaningful, or worthwhile (like the latest stupid XYZ antiterrorist technology rollout, or the latest bio-fuel legislation/subsidy).

      No, they're not the same thing, but one can draw worthwhile parallels, and both parties would benefit by comparing themselves to the other, shaping their actions to avoid these excesses.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    3. Re:Just look to government.... by mattkime · · Score: 2, Insightful

      >>Both parties have their people propose some ridiculously broad, sweeping changes to deal with the problem which would negatively impact everyday lives; fortunately, the more ridiculous ones are more likely to fail.

      You can't get anywhere in politics if you allow the more radical elements to represent their party. Ignore them.

      In the interest of bipartisanship you've equated the wholesale removal of civil rights with the suggestion that we shouldn't use so much oil.

      Thats what I call Fair and Balanced.

      --
      Know what I like about atheists? I've yet to meet one that believes God is on their side.
    4. Re:Just look to government.... by Anonymous Coward · · Score: 2, Interesting

      In the interest of bipartisanship you've exaggerated the intentions of those concerned about terrorism and understated the intentions of those concerned with with global warming.

      That's what I call a double straw-man.

    5. Re:Just look to government.... by Lord+Ender · · Score: 3, Interesting

      There's a lot of focus on OMG-deadly high-profile terrorist attacks, and on OMG-deadly consequences of global warming.
      Terrorism could cause a tiny handful of people to die. Warming could cause a mass extinction. Do you understand what I mean by mass extinction? I mean http://en.wikipedia.org/wiki/Mass_extinction.

      One of these is a minor annoyance to the human species. The other is the end of life as we know it. Some have even suggested that run-away global warming caused Venus to become the hell-hole it is today. These are very different problems.

      You are right that politicians, in general, care more about the appearance of solving problems than actually solving problems. But don't equate global warming with the relatively trivial issue of terrorism.
      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    6. Re:Just look to government.... by FooAtWFU · · Score: 2, Insightful

      Terrorism could cause a tiny handful of people to die. Warming could cause a mass extinction. Do you understand what I mean by mass extinction?
      I appreciate that. But consider, from the text of the article itself:

      ... people "exaggerate risks that are spectacular, rare, beyond their control, talked about, international, man-made, immediate, directed against children or morally offensive," Schneier noted.
      Okay. Mass extinction. Rare? Ehh, depends-how-you-define-it. Children? Eh, not so much ("our children will have to deal with it", but...) Man-made? Check. (Especially for The Environmentalists). International? Check. Morally offensive? Sometimes-check (greed/profit/industry/decadence topics). Talked about? Definitely-check. Spectacular? Oooh boy, helluva check.

      Even the Libertarians are accepting global warming as pretty-much-fact these days. That's one thing. But to immediately bring up mass extinction as a topic of doom (presumably, imminent doom) is, I think, perhaps, maybe just a little bit of a display of the sort of irrationality the article discusses. Just a smidge.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
  2. Most people cannot define "security". by khasim · · Score: 4, Informative

    Bruce has more at his website.
    http://www.schneier.com/essay-155.html

    As he says, we really should have two different words for the "feeling of security" and "security".

    1. Re:Most people cannot define "security". by Short+Circuit · · Score: 3, Insightful

      As he says, we really should have two different words for the "feeling of security" and "security". I thought we called that "comfort". As in, "I'm comfortable running Linux." or "I'm uncomfortable running Windows without antivirus software."
      --
      tasks(723) drafts(105) languages(484) examples(29106)
  3. Amydala feels fear by wumpus188 · · Score: 4, Funny

    There is always Anakin to the rescue.

  4. Brain region for thinking about security by cold+fjord · · Score: 2, Funny


    Most thinking about security seems to be centered in the nullcortex.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  5. 42 by ElephanTS · · Score: 4, Funny

    Which is why "Don't Panic!" is such good advice.

    --
    spoonerize "magic trackpad"
  6. It makes sense by 140Mandak262Jamuna · · Score: 4, Funny
    From the article: There is a "feeling versus reality," Schneier said. "You can feel secure but not be secure. You can be secure but not feel secure. The primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response, he pointed out. "

    That is why the real amygdala hides in the background pretending to be a mere attendant like the pitutary gland and communicates with a prominantly placed fake-amygdala using elaborate signals and esp communication. All these scientists have been fooled into studying the fake-amygdala. So they underestimate the real security of the brain. Let someone assassinate the fake-amygdala in a spaceport in Coruscant and suddenly you will see the real amygdala emerge from the shadows and assume the role as the rightfully elected Queen of Naboo.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:It makes sense by 'nother+poster · · Score: 4, Funny

      Security through obscurity never works. ;)

    2. Re:It makes sense by Profane+MuthaFucka · · Score: 2, Interesting

      The first is that he thinks he is an expert in everything, and he thinks he is always right.

      That's not a problem if he is actually right. He's a security expert, which implies at least some competence in related areas. If someone thinks they are right, it's not a fault if they are actually right.

      The second is that for some reason people are unwilling to stand up and say when he is full of it.

      Where is he full of it? And why are people supposedly such cowards when it comes to standing up to him?

      Some days his blog is nothing other than Bush bashing under the guise of writing about security.

      Fully justified. The Bush administration has done almost nothing at all to make us secure. Again, what's the problem with that? Oh, I get it. You're putting politics ahead of security. Shame on you.

      That being secure and feeling secure are different is not news.

      If it's not news, then there's no excuse at all for the security theater which we see all around us.

      That even in business people make decisions based on emotions instead of understanding is not news either.

      In that case there's no reason to pay the executives the big bucks to make emotional decisions for either business or security. Fire them. And fire their boss, the person ultimately responsible for performance, GW Bush.

      --
      Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
    3. Re:It makes sense by David+Gould · · Score: 2, Insightful

      Some days his blog is nothing other than Bush bashing under the guise of writing about security. It's true that some of Schneier's posts are very critical of the Bush Administration's security efforts. But, of all the statements that get attacked as "Bush-bashing", I'd say those posts are among the best cases for which to invoke the defense that:

      "No, it's just that reality has an anti-Bush 'bias'."

      --
      David Gould
      main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}
  7. repeat? by tomstdenis · · Score: 2, Insightful

    Didn't we have an article about this already? Oh wait, that was about the fact that he was going to speak at the con, now we have an article about the talk he just gave?

    Good lord, I want that guys press agent!

    Tom

    --
    Someday, I'll have a real sig.
  8. It must be said... by Doctor+Memory · · Score: 2, Insightful

    primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response This should actually be fight-or-flight response. Fear is the stimulus, the amygdala merely chooses (or rather, "strongly suggests", as the article points out) the reaction to it.
    --
    Just junk food for thought...
    1. Re:It must be said... by powerpants · · Score: 2, Funny

      In terms of Hamming distance, it's actually closer to "fear-of-flight," aka aviophobia. Think about it.

  9. Irritating. by Elentari · · Score: 5, Insightful
    It never fails to annoy me when people take snippets of theoretical psychology and redistribute them as truth. Scientists' views of which parts of the brain are responsible for which characteristics of human life change on almost a daily basis, yet phrases such as "language centre" or "mammalian brain" are constantly being used in a way that presents them as definite fact.

    It seems unnecessary to incorporate impressive-sounding terms into a speech that, quite honestly, seems to be stating the obvious. Increasing or decreasing security is a response to fear; fear is an emotion and, therefore, decisions that use it as a base will not be purely rational, but will have emotional bias, like every other human decision. You don't need vague descriptions of brain "impulses", and such, to prove that.

  10. A point easily proven by TinBromide · · Score: 3, Insightful

    People care more about problems that they can't control than ones they can prevent.

    For example: Airplanes. How many people feel more secure behind the wheel of a car than on a long flight with turbulence?

    Put your hands down, now the sheer probability of getting into a car accident in one's lifetime (if one drives) is a miniscule number below one. Death statistics are somewhere around 1 in 237 of a car type accident. The odds of an airplane death are like 1 in 5051 source

    However, people are freakishly nervous about planes... So, by induction (the bane of an engineer's existance) we can extrapolate (another fancy bane) that security people will ignore the dangerous mundane and fixate on the extraordinary rarity.

    --
    Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
  11. Difficulty Factor by Bryansix · · Score: 2, Insightful

    I think that the true dichotomy of the situation that plays out in people's minds is 1) Spend the time and effort to secure this system the right way and stress out all the time 2) Be lazy and just do what will get us by and at least buy us some security even if it's security through obscurity.

  12. instant vs. considered responses by smellsofbikes · · Score: 3, Interesting

    Malcolm Gladwell's book "Blink" talks a lot about the differences between first impression and actual, thoughtful reaction to a situation, including some interesting studies on what happens when the two conflict and how measurement of the effects of those conflicts on reaction time can tell us a lot about how the brain is processing material. There's controversy around some of his conclusions but I strongly recommend the book and everything else Gladwell has written.

    --
    Nostalgia's not what it used to be.
  13. Schneier says no, but that's not his aim by schwaang · · Score: 4, Informative
    In his essay he tells a little joke about aiming for 100% security:

    I remember in the weeks after 9/11, a reporter asked me: "How can we prevent this from ever happening again?" "That's easy," I said, "simply ground all the aircraft."
    100% security has never been his aim. His aim, AFAICT, is to distinguish real security from BS, so we can evaluate the costs and tradeoffs and then make smart choices.

    More on this philosophy:

    The truth is that we're not hopelessly bad at making security trade-offs.[...]There are several specific aspects of the security trade-off that can go wrong. For example:

          1. The severity of the risk.
          2. The probability of the risk.
          3. The magnitude of the costs.
          4. How effective the countermeasure is at mitigating the risk.
          5. How well disparate risks and costs can be compared.

    The more your perception diverges with reality in any of these five aspects, the more your perceived trade-off won't match the actual trade-off.
  14. Oblig. joke by Captain+Splendid · · Score: 4, Funny

    Too bad the Department of Homeland Security doesn't have a neocortex.

    That's alright, they have a neoconcortex instead!

    Sorry, couldn't help myself. You may now mod this post into oblivion...

    --
    Linux, you magnificent bastard, I read the fucking manual!
  15. Too complicated by Billosaur · · Score: 2, Interesting

    His view is far too complicated. The essence of security is: people think they are secure. They happily type their data into web sites without considering where it goes because in most cases, they have no clue what systems are in operation. Past the words "computer", "database", and "Internet (or Web)" the average person has no concept of how any of it works. Someone, their bank say, sends them a link to a website -- the first problem is, they really have no way to verify it is from their bank, other than going to their local branch and asking, which seems to be beyond anyone's capability. Now, once they've accepted that the link is "legitimate", whether it is or not, they plow ahead and begin banging on the keyboard and typing in their info. Screens come and go, they are admonished occasionally when they don't enter something right, and finally some message pops up thanking them and that's that. Whether the whole transaction was legitimate or not never enters into it.

    "Security" is a misnomer -- you are no more secure against possible data theft or manipulation on the Internet than you are physically safe crossing the street in a crosswalk. The only security you can have is in being vigilant in what you do and following up everything you do to make sure it is legitimate. Past that, you're on you own.

    --
    GetOuttaMySpace - The Anti-Social Network
  16. Deaths per Mile by bill_mcgonigle · · Score: 2, Insightful

    That doesn't say anything to me. The fact is that if you get into a car crash, there are chances that you may survive. In an airplane, thats it! End of Story! No second chances! Maybe that is the cause of the fear, don't you think? And a legitimate one at that. Given a choice would you rather be in a car crash or a plane crash, the consequnces of both aren't disclosed to you yet?

    The important measure isn't odds of death in a crash, it's odds of death per mile traveled.

    If you drive from Boston to San Diego you're more likely to die than if you fly from Boston to San Diego. But coming back around to your point this measure even masks non-fatal injuries. Since most car wrecks don't result in death, it therefore figures that driving from Boston to San Diego you're much more likely to be injured or maimed than if you fly, by a factor of (car crashes / fatal car crashes).

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  17. Why I hate metaphors by IthnkImParanoid · · Score: 2, Funny

    Abstinence doesn't prevent unauthorized physical access. Besides, penetration testing is a vital part of security.

    Now I need to go take a shower.

    --
    It's nothing but crumpled porno and Ayn Rand.
  18. Overridden by higher parts of the brain by brownaroo · · Score: 3, Insightful

    As a programmer I find (in regards to security) that fear is often overridden by laziness