Slashdot Mirror
Humans Not Evolved for IT Security
Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT. "He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"
As a species we got really good at estimating risk in an East African village 100,000 years ago.
I wonder how many days would that guy last in an East African village 100,000 years ago.
He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved.
Which is why, a lot of times, you end up with security theatre, instead of real security.
The theory of relativity doesn't work right in Arkansas.
Looking at the number of people falling for Nigerian scammers, I'd say that our ability to "estimate risk in an East African village" is not so hot either. :)
If you open yourself to the foo, You and foo become one.
Thank God I was intelligently designed for this kind of thing ;)
Knowledge is power. Knowledge shared is power lost.
Exaggerate uncommon risks -- for example, air travel is safer than cars but because car accidents are common they are seen as less risky Maybe because everyone involved in an air plane crash usually dies. Automobile deaths are much less. There's this idea of risk = probability * impact. In the case of automobiles, probability is high but the impact is low. It's the other way around in aircraft failures. Personified risk -- Osama Bin Laden is scarier than a faceless threat How in the hell does this relate to IT security? I think IT administrators are more afraid of the people they don't know hacking their systems then the people they actually employ doing the same. In the end, I'm sure more attacks come internally or from an ex-worker than someone unknown. Maybe the face you know should be more scary than the face you don't at the office? Risks that could be controlled -- The DC sniper caused a few deaths but the response was way out of proportion. Please elaborate, I know of the John Lee Malvo incident but I have no idea how this relates to IT security. Are you telling me that shutting down a system to protect a database from a possible threat or virus is overkill? I would respond with that varying on a case by case basis but at my job, offline databases are worth maintaining the integrity of the data inside them.
I know I'm really coming off as a jerk when I say this but I don't think this article helped me in anyway. All I saw was someone over simplifying a complex problem--thereby making them seem smarter to the people they were explaining it to.
Don't read this article, it has nothing to offer you. If you don't know this subject, I believe this article will only add to your confusion and lack of understanding.
My work here is dung.
As a INFOSEC person, I see this kind of mentality on a daily bases. Still, there is a realization of the costs of outages due to attacks and that I see. Slowly but surely it's changing. Compared to evolutionary changes tho, it's a blink of an eye.
We're not evolved for space flight either. You can't apply "evolution" as a blanket to tool use at the level we've taken it; we have evolved a capacity for abstract thought which allows us to create highly complex tools...Saying that we're not evolved to assess risk on a level as abstract as this is disingenous...When was the last time a virus jumped out of your computer and ate you? There is no evolutionary pressure involved with such intellectual pursuits.
It's perhaps more accurate to say that only a few people are capable of truly understanding this stuff at all, and for the rest it's just black magic. Of course they don't appreciate the risk. I guess B.S was trying to find a rational reason why people just categorically don't understand security when applied to technology, but I think it's more just that they're doing well to be able to use the tech at all. We're going to have to have a lot higher skill level among users before we can expect them to truly appreciate security.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
We aren't specifically evolved do algebra either, and we (well, many of us) do a decent job at that. Humans are evolved to learn and adapt.
"Only human."
--Agent Smith on IT security
... if it really must be Schneier, read: "Why the Human Brain Is a Poor Judge of Risk" ( Wired ), but better immediately turn to Kahneman .
CC.
TaijiQuan (Huang, 5 loosenings)
People want the easy way. Security and "the easy way" are often at odds.
Case in point...I was in a hospital ER the other day, waiting in the room (for a very long time), and I looked at the computer in the room. I noticed that someone affixed a sticker to the keyboard tray with (presumably) the windows domain login info. Had I wanted to, I could have logged in and probably gotten to all kinds of medical records. Someone from the hospital's CIS department would probably poop a brick if he saw that.
People are lazy, and security folks constantly have to toe the line between making things hard enough to be secure but not so hard that it's just easier to find the loopholes.
blah blah blah
I don't think thats the case. I think its just that culturally we fear what we don't understand and are being taught to be stupid and proud of it. Biology and evolution have nothing to do with it. We can learn these concepts we just willingly refuse to for religious and ideological reasons.
There were in South Africa anyway.
#!
Security solutions have to be designed around usability. If usability isn't the #1 or #2 consideration, it will increase the failure rate of the humans involved and you'll end up with an insecure system in practice regardless of the technical merits of the security methods.
The real problems are, in no particular order:
1) A lot of people are either stupid or uneducated.
2) A lot of people don't bother to think.
3) A Lot of people are sheep and believe what they're told by marketing.
4) A lot of people are lazy.
I guarantee you this covers the vast majority of the problems with IT security. It's not biological evolution, though you could make a good argument for societal devolution being the problem.
Is there anything on which Bruce Schneier is not an expert? Now he's an expert on evolution? I'm not sure why he thinks his knowledge of cryptography qualifies him to hold forth on every freaking subject on the planet.
What I'm listening to now on Pandora...
You're making the mistake of judging the validity of a claim based on the person's authority. Even Wikipedia, your favorite source, has info on that. Just make sure to read the article in its entirety. Your comment would in fact be far more helpful if it would actually dissect his theory. Because, quite frankly, if we're going by authority is the prime criterion for when anyone should say anything, you'd only be allowed to talk about the lint in your navel.
Those who can, do. Those who can't, sue.
So that's why my common sense tells me I don't need to hide under my bed from the bad, bad terrorists, it's just that I can't see them anywhere and not that it's overblown hype.
I'm kinda scared now.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
which makes it difficult to use, then say that people are just too dumb to use it.
That always amazes me to this day.
IT GUY: Your PC is insecure.
AVERAGE JOE: I don't really know how to properly secure it.
IT GUY: Dumbfuck.
Yeah, great approach. Gosh, why don't we teach kids that way?
TEACHER: What's 147 divided by 7?
FIRST GRADER: You haven't taught us division yet.
TEACHER: Dumbfuck.
Then, it sounds like we need a lethal, compulsory video game with a computer security theme.
True science means that when you re-evaluate the evidence, you re-evaluate your faith.
Wow. You truly are entertaining. Here, have some more rope. I'm sure you can find an entertaining way of hanging yourself again.
Those who can, do. Those who can't, sue.
Anyway you should only trust Humans V1.0 after SP1 has been released.
Engineering is the art of compromise.
IT GUY: Your PC is insecure.
CEO: It's your job to secure it, dumbfuck. Give me a secure computer.
IT GUY: Yes sir.
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
Car crashes are less scary because of familiarity, has you said, but also because you can grab the wheel, yell "look out!", or otherwise act upon your own destiny. And because of vertigo phobia. In a car, you're already on the ground: you aren't going to accelerate towards it inexorably, as planes will if they stall/run out of gas/break/hit another plane/etc.
Familiarity and statistics are just part of it.
You can't take the sky from me...
> You are alone in a dark room and cannot see. You are likely to be eaten by a grue.
Actually, sounds like what you can't see WILL in fact eat you.
1. You don't have to have a qualification in something to know enough to make an enlightened statement about a particular subject. If we were to restrict talking about the weather only to meteorologists, small talk would vanish overnight. In a more serious vein, interdisciplinary research would be even more difficult than it is now. Imagine having to have a qualification in both psychology and security to be able to publish research into this?
2. A qualification is simply a piece of paper that has been accredited by some educational body, presumably recognising a standard of education in a particular field. Just because you don't have the piece of paper doesn't mean you don't have the knowledge. How do you know that Bruce Schneier doesn't, in fact, know as much (or possibly more) about evolutionary biology or behavioural psychology than yourself? Does the fact that I haven't studied engineering preclude me from having insightful discussions with an engineer? Do my opinions matter less because I don't have the degree? Does the fact that I have a PhD in computer security (and you presumably don't) mean that any opinion I state on the subject is somehow more valid because I hold the qualification and you don't?
3. Bruce Schneier is eminently qualified to make statements about security (which is afterall a central aspect of his thesis). He has been conducting extensive research into psychological aspects of IT security (you can see a draft essay on the topic at http://www.schneier.com/essay-155.pdf). This research has included long discussions with psychologists and serious reviews of the literature. I would content that there are very few people on this planet that are truly as knowledgeable in both security and the psychology of security as Bruce Schneier is now. I would be equally interested in the views of a psychologist who undertook research into security -- I know only of a handful that have done so, and none have the particular angle that Schneier has adopted.
4. That is not to say that everything the Schneier is saying on the topic is faultless, or that I agree with everything he says, but I'll debate the ideas, not the man. I personally find it objectionable to anthropomorphise an evolutionary process, or talk about the intent of evolution. But what do I know, I don't have a degree in evolutionary biology...
"IT Security Not Evolved for Humans".
pb Reply or e-mail; don't vaguely moderate.
I once heard Neal Stevenson give a similar talk. http://db.tidbits.com/article/05951
He drew pie charts labled "threat model" where 99% of the chart was "hyenas."
Today, our threat models are a bit more complex.
http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP2K.html#Steph
junpei wikipedia
More to the point, people are bad at estimating certain types of risks, and they are focused on certain types of risk. Historically, people are most worried about immediate threats to life and limb. Naturally that will always be a concern, but in an era where there is (comparatively) little immediate threat to life, we are not overly prepared to deal with subtle threats to information or technology. We are prepared to react to predators that want to eat us and starvation, but ill prepared to deal with people that want to defraud us and steal possessions that may not be immediately with us.
If somebody breaks into my computer, will I die? No. Will I become sick of temporarily disabled? No. Will I lose money? Possible, but unlikely, and in any case the insurance company will get them back for me. Should I therefore hire a security consultant? NO!
I believe most people get this analysis right.
More importantly, we are unable to plan for long-term security. If the planets ecosystem is under attack from global warming, creating and/or spreading lots of new diseases (harming us, our food, or in some other indirect way), do we stop emitting pollutants contributing to global warming? No. Do we invest money into biological research and education so we can handle the new diseases? No. Do we invest significantly in technological countermeasures, such as painting Sahara white, building dams against floods or the rising ocean, or even storing CO2? No. Do we do anything at all? Not really, unless you count selling quotas to each other.
Nice BS political troll combining the little shoe explosion (which most probably had no room for a foot) with that much larger plane explosion.
So FWit friends of Fred selling fear in 08, so 'SUP', hmm, fear - obey - corporate profits (try changing the letters it is far more truthful). If you are going to do political trolls on /. at least put some geek/nerd word craft into it ;).
Chaos - everything, everywhere, everywhen