Slashdot Mirror

← Back to Stories (view on slashdot.org)

Humans Not Evolved for IT Security

Posted by ScuttleMonkey on from the wait-it-guys-have-emotions? dept.

Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT. "He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"

7 of 302 comments (clear)

  1. Re:really by Anonymous Coward · · Score: 1, Informative

    There were east african villages 100,000 years ago?

  2. Phhhh ... by foobsr · · Score: 2, Informative

    ... if it really must be Schneier, read: "Why the Human Brain Is a Poor Judge of Risk" ( Wired ), but better immediately turn to Kahneman .

    CC.

    --
    TaijiQuan (Huang, 5 loosenings)
  3. Thanks Bruce, but call us when you're qualified by SIIHP · · Score: 1, Informative

    "Originally from New York City, Schneier currently lives in Minneapolis, Minnesota. Schneier has a Master's degree in computer science from American University and a Bachelor of Science degree in physics from the University of Rochester. Before Counterpane, he worked at the United States Department of Defense and then AT&T Bell Labs."

    I don't see anything about "behavioral psychology" or "evolutionary biology" in there.

    So, sorry Bruce, but you're not qualified to make that statement with any authority, and frankly, your position as an expert on security should make you more wary of voicing lay opinions about subjects in which you have no expertise.

    --
    I only go to buffets for the unlimited soft serve.
    1. Re:Thanks Bruce, but call us when you're qualified by ifoxtrot · · Score: 4, Informative
      I don't usually respond to negative posts, but this is something I feel quite strongly about:

      1. You don't have to have a qualification in something to know enough to make an enlightened statement about a particular subject. If we were to restrict talking about the weather only to meteorologists, small talk would vanish overnight. In a more serious vein, interdisciplinary research would be even more difficult than it is now. Imagine having to have a qualification in both psychology and security to be able to publish research into this?

      2. A qualification is simply a piece of paper that has been accredited by some educational body, presumably recognising a standard of education in a particular field. Just because you don't have the piece of paper doesn't mean you don't have the knowledge. How do you know that Bruce Schneier doesn't, in fact, know as much (or possibly more) about evolutionary biology or behavioural psychology than yourself? Does the fact that I haven't studied engineering preclude me from having insightful discussions with an engineer? Do my opinions matter less because I don't have the degree? Does the fact that I have a PhD in computer security (and you presumably don't) mean that any opinion I state on the subject is somehow more valid because I hold the qualification and you don't?

      3. Bruce Schneier is eminently qualified to make statements about security (which is afterall a central aspect of his thesis). He has been conducting extensive research into psychological aspects of IT security (you can see a draft essay on the topic at http://www.schneier.com/essay-155.pdf). This research has included long discussions with psychologists and serious reviews of the literature. I would content that there are very few people on this planet that are truly as knowledgeable in both security and the psychology of security as Bruce Schneier is now. I would be equally interested in the views of a psychologist who undertook research into security -- I know only of a handful that have done so, and none have the particular angle that Schneier has adopted.

      4. That is not to say that everything the Schneier is saying on the topic is faultless, or that I agree with everything he says, but I'll debate the ideas, not the man. I personally find it objectionable to anthropomorphise an evolutionary process, or talk about the intent of evolution. But what do I know, I don't have a degree in evolutionary biology...

  4. Re:do you want to check my shoes? by Kjella · · Score: 5, Informative

    And don't forget CYA security - security rules that aren't being followed and aren't being enforced either - but that exist solely so that when shit hits the fan, the bosses can say it was against policy. These are usually extremely draconian, impossible to implement or practicly impossible to follow while getting work done. But hey, it looks good on paper...

    --
    Live today, because you never know what tomorrow brings
  5. Re:really by Anonymous Coward · · Score: 1, Informative

    He says we GOT really good, not we (STILL) ARE really good. RTFA.

  6. Re:Lets think about this. by magisterx · · Score: 2, Informative

    More to the point, people are bad at estimating certain types of risks, and they are focused on certain types of risk. Historically, people are most worried about immediate threats to life and limb. Naturally that will always be a concern, but in an era where there is (comparatively) little immediate threat to life, we are not overly prepared to deal with subtle threats to information or technology. We are prepared to react to predators that want to eat us and starvation, but ill prepared to deal with people that want to defraud us and steal possessions that may not be immediately with us.