Slashdot Mirror

← Back to Stories (view on slashdot.org)

Humans Not Evolved for IT Security

Posted by ScuttleMonkey on from the wait-it-guys-have-emotions? dept.

Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT. "He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"

22 of 302 comments (clear)

  1. do you want to check my shoes? by User+956 · · Score: 4, Insightful

    He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved.

    Which is why, a lot of times, you end up with security theatre, instead of real security.

    --
    The theory of relativity doesn't work right in Arkansas.
  2. Re:really by Anonymous Coward · · Score: 1, Insightful

    I wonder how many days would that guy last in an East African village 100,000 years ago.

    Or today for that mater.

  3. Stupid. by SatanicPuppy · · Score: 4, Insightful

    We're not evolved for space flight either. You can't apply "evolution" as a blanket to tool use at the level we've taken it; we have evolved a capacity for abstract thought which allows us to create highly complex tools...Saying that we're not evolved to assess risk on a level as abstract as this is disingenous...When was the last time a virus jumped out of your computer and ate you? There is no evolutionary pressure involved with such intellectual pursuits.

    It's perhaps more accurate to say that only a few people are capable of truly understanding this stuff at all, and for the rest it's just black magic. Of course they don't appreciate the risk. I guess B.S was trying to find a rational reason why people just categorically don't understand security when applied to technology, but I think it's more just that they're doing well to be able to use the tech at all. We're going to have to have a lot higher skill level among users before we can expect them to truly appreciate security.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  4. so what? by AxemRed · · Score: 4, Insightful

    We aren't specifically evolved do algebra either, and we (well, many of us) do a decent job at that. Humans are evolved to learn and adapt.

    1. Re:so what? by kebes · · Score: 4, Insightful

      We aren't specifically evolved do algebra either, and we (well, many of us) do a decent job at that. Humans are evolved to learn and adapt.
      Absolutely. But Schneier's point is not that it is impossible for humans to think rationally about IT security, but that it does not 'come naturally' to the average person. The same is true of algebra and other branches of mathematics: humans in general have very advanced knowledge in these areas, but it is still quite easy to construct a mathematical problem that will trip up a layperson, because most people are not formally trained in mathematics, and will incorrectly invoke "common sense" when solving a problem.

      The fact is that humans have an in-built "threat and probability analysis" system that was optimized to deal with "real world" situations like searching for food, avoiding predators, finding mates, etc. It is for this reason that gambling "works." People are easily tricked into believing that they can "beat the system" or "find a pattern." They believe that having rolled many sixes recently, they are "due for a 1 or a 2" even though the probability of rolling a particular number on a die is independent of previous rolls. This is because most of our in-built probability estimators assume chains of events are causally linked (which is a reasonable assumption in the "real world"--i.e. if it's been a long time since it has rained, it is indeed "due to rain soon").

      In the realm of security, Schneier identifies certain assumptions that our minds make, which are actually fallacies when it comes to modern security (e.g. that a commonly occurring risk is less important than a rare risk).

      We are not "built" to deal with modern security. As with advanced math, rather than rely on common sense (and its associated useless rhetoric) to set security policy, we need to have detailed arguments citing well-documented studies. We can indeed rise above our "programming," but far too many people don't bother trying--and continue to rely on common sense even when it is a demonstrably poor predictor.
  5. because people want the easy way by hobo+sapiens · · Score: 4, Insightful

    People want the easy way. Security and "the easy way" are often at odds.

    Case in point...I was in a hospital ER the other day, waiting in the room (for a very long time), and I looked at the computer in the room. I noticed that someone affixed a sticker to the keyboard tray with (presumably) the windows domain login info. Had I wanted to, I could have logged in and probably gotten to all kinds of medical records. Someone from the hospital's CIS department would probably poop a brick if he saw that.

    People are lazy, and security folks constantly have to toe the line between making things hard enough to be secure but not so hard that it's just easier to find the loopholes.

    --
    blah blah blah
  6. No, we are simply taught the reverse. by Zombie+Ryushu · · Score: 2, Insightful

    I don't think thats the case. I think its just that culturally we fear what we don't understand and are being taught to be stupid and proud of it. Biology and evolution have nothing to do with it. We can learn these concepts we just willingly refuse to for religious and ideological reasons.

  7. Probably by sharp-bang · · Score: 2, Insightful

    There were in South Africa anyway.

    --
    #!
  8. Just an excuse by Kohath · · Score: 4, Insightful

    Security solutions have to be designed around usability. If usability isn't the #1 or #2 consideration, it will increase the failure rate of the humans involved and you'll end up with an insecure system in practice regardless of the technical merits of the security methods.

  9. Is there anything...? by Otter · · Score: 2, Insightful

    Is there anything on which Bruce Schneier is not an expert? Now he's an expert on evolution? I'm not sure why he thinks his knowledge of cryptography qualifies him to hold forth on every freaking subject on the planet.

    --
    What I'm listening to now on Pandora...
  10. Re:Thanks Bruce, but call us when you're qualified by NeutronCowboy · · Score: 3, Insightful

    So, sorry Bruce, but you're not qualified to make that statement with any authority

    You're making the mistake of judging the validity of a claim based on the person's authority. Even Wikipedia, your favorite source, has info on that. Just make sure to read the article in its entirety. Your comment would in fact be far more helpful if it would actually dissect his theory. Because, quite frankly, if we're going by authority is the prime criterion for when anyone should say anything, you'd only be allowed to talk about the lint in your navel.
    --
    Those who can, do. Those who can't, sue.
  11. Re:Bad Analogies Abound by Lurker2288 · · Score: 3, Insightful

    In the sense that brains in general started off in a much simpler state with no need to handle many of the things it's currently capable of (binocular vision, manual dexterity, doing calculus) and it got to where it is one incremental improvement at a time, then yes, it most certainly is a patchwork. You can see it in the gross structure: you've got the reptilian hindbrain that keeps your body functioning in a narrow homeostatic envelope all the way at the bottom, atop which sits a cerebellum that allows for things like emotion (great for pair bonding and knowing to run away from big things with pointy teeth), and atop all of that you've got the cerebrum that enables most of your higher intellectual activity.

    The fact that this magnificent hodgepodge seems to be so perfectly attuned to our needs is almost definitional, as well as being a kind of survivor bias. That is, our brains are great at what we need them to do precisely because they evolved to do those things; brains that were evolved to do other things, or that did the same things, but not as well as ours, died off. Schneier's point is that the modern world has changed a lot faster than our brains are able to, and as a result, we're maladapted for some of the tasks facing us today, like assessing remote risks.

  12. Re:Bad Analogies Abound by SatanicPuppy · · Score: 3, Insightful

    That's part of it, but you're still more likely to die in a bus or taxi accident, and they're not viewed with the same unreasoning fear though they also lack control.

    We are all soothed by familiar routine. This is the purpose of disaster drills, so if your building does catch fire, your mind will move into that pre-built track, and move effectively, without being paralyzed by the need to act conflicting with the fact that you have no idea of what to do. Planes are not only outside our control, they're outside most people's experience, so an event which is no more significant than a bus running through a pothole, elicits a greater level of fear due to it being an unknown, rather than a familiar, occurrence.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  13. Re:Stupid Crap by Anonymous Coward · · Score: 1, Insightful

    More like this:

    IT GUY: Please use a secure password. Try using a phrase you're familiar with, and stick in a couple of numbers and special characters. It's good to use at least 16 characters.

    USER: Look, can I just leave it empty, so I can hit the button and log in?

    IT GUY: No. Look, just pick a line from a poem or something. Stick a number or two in. That's good enough.

    USER: Why do I have to log in all the time! You guys are a pain in the ass.

    IT GUY: I'll make it easy for you. Pick a secure password or I'll lock your account and file a complaint with your supervisor.

    USER: IT NAZI!

    That's how it goes in most organizations...

  14. Don't poke the bear by Scrameustache · · Score: 3, Insightful

    Plane crashes are scary because planes aren't familiar to most people; Actually, plane crashes are scary because once you're on the plane, there is nothing you can do about them.
    Car crashes are less scary because of familiarity, has you said, but also because you can grab the wheel, yell "look out!", or otherwise act upon your own destiny. And because of vertigo phobia. In a car, you're already on the ground: you aren't going to accelerate towards it inexorably, as planes will if they stall/run out of gas/break/hit another plane/etc.

    Familiarity and statistics are just part of it.
    --

    You can't take the sky from me...

  15. Re:Thanks Bruce, but call us when you're qualified by DerekLyons · · Score: 1, Insightful

    So, sorry Bruce, but you're not qualified to make that statement with any authority, and frankly, your position as an expert on security should make you more wary of voicing lay opinions about subjects in which you have no expertise.

    Don't forget that his paycheck depends on him voicing unfounded opinions and creating fears where none existed before. Without generating fear, he can't get consulting gigs. Without generating controversy, his value as a pundit and speaker goes down.
  16. Or in short... by pb · · Score: 4, Insightful

    "IT Security Not Evolved for Humans".

    --
    pb Reply or e-mail; don't vaguely moderate.
  17. Re:Stupid Crap by Anonymous Coward · · Score: 1, Insightful

    You forgot...

    IT GUY: And change all five of your 16 character passwords every 2 months, choosing a different password each time with no repeating.

    USER: ... Right. Where are my post-its?

    Sometimes IT Security professionals aren't evolved enough to understand humans.

  18. Re:Bad Analogies Abound by Anonymous Coward · · Score: 1, Insightful

    The only place where I think he's totally off base is calling the brain "a patchwork". It's not, in fact. It's extremely finely tuned to do what we need it to do. You're both right. It's an extremely finely tuned patchwork.

    Look at something basic like the visual processing subsystem. Think of all the optical illusions you've seen (or use google if you need some more). Our brain's software has bugs in recognising even something as simple as a moving coloured square, which shows that it has serious fundamental flaws. But at something like spotting a tiger in tall grass, it's red hot - far better than any synthetic object-recognition software that we're likely to write for some time yet.

    Our brains are like software that has been through several million testing/patch cycles. Except that the patching stage is carried out by randomly modifying the code, usually introducing other bugs - which, if they're not critical in the default user environment (of an African village), will generally go unfixed.
  19. Re:What a pile of carp by turing_m · · Score: 2, Insightful

    It also stems from upper management either not being smart enough or not dedicating enough time to do a bit of basic research on security, so then they either ignore security issues entirely, or want security but completely underestimate the intelligence required to do a good job at it.

    I'm reminded of reading "Surely You're Joking, Mr Feynman!", where Feynman routinely bypassed the cargo cultish efforts at security by his ostensible military overseers. It's the same pattern - primitive people attempting to construct something that is fundamentally incomprehensible to them. On one hand, you have New Guineans building an "airfield" expecting to magically get cargo, not understanding that a landing strip is only one piece in a gigantic logistical chain. On the other hand, you have people whose fundamental intelligence limit is blue collar or middle management type work buying the most expensive safe money can buy and not changing the combination from the factory default!

    --
    If I have seen further it is by stealing the Intellectual Property of giants.
  20. Re:really by Agripa · · Score: 2, Insightful

    I wonder how many days would that guy last in an East African village 100,000 years ago.

    If he had grown up in that environment I would guess he would do fine. None of his ancestors died without having successful children.

  21. Re:About those shoes... by rtb61 · · Score: 2, Insightful
    So one crazy shoe bomber and a few hundred million shoes latter, how many exploding shoes have they found. So why aren't they strip searching everybody, if it is real, think of bombs in bras and cavity insertions, or at an absolute minimum completely dismantling every electronic component that goes onto a plane, every camera, phone, laptop, pda and media player. Better yet if you can afford to fly you can afford to buy all new stuff at your destination, great for corporate profits and besides, what is wrong with flying naked if you have nothing to hide, hmm.

    Nice BS political troll combining the little shoe explosion (which most probably had no room for a foot) with that much larger plane explosion.

    So FWit friends of Fred selling fear in 08, so 'SUP', hmm, fear - obey - corporate profits (try changing the letters it is far more truthful). If you are going to do political trolls on /. at least put some geek/nerd word craft into it ;).

    --
    Chaos - everything, everywhere, everywhen