Slashdot Mirror

← Back to Stories (view on slashdot.org)

Humans Not Evolved for IT Security

Posted by ScuttleMonkey on from the wait-it-guys-have-emotions? dept.

Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT. "He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"

23 of 302 comments (clear)

  1. really by snarkh · · Score: 5, Funny

    As a species we got really good at estimating risk in an East African village 100,000 years ago.

    I wonder how many days would that guy last in an East African village 100,000 years ago.

    1. Re:really by apparently · · Score: 4, Funny
      Last time I walked through Harlem, the hoodz said I had to fucking PROVE my wealth and whitenses before they would even consider robbing me. I showed them paystubs, my Discover card, even an ATM receipt, and still they doubted how rich I was! And don't get me started on the "white" thing, apparently they don't go by complexion any more, you gotta keep a DNA sample on you with a notarized letter from a scientist stating that he confirms your race.

      Us white, rich folk never had it so tough.

      Also, you really ought to be awarded with some sort of "waste of a condom" trophy.

    2. Re:really by mstahl · · Score: 4, Funny

      Come on. Bruce Schneier is like the Chuck Norris of the IT industry. He'd outlast us all!

      Remember. There are no prime numbers, only numbers that Bruce Schneier doesn't want you to factor!

  2. do you want to check my shoes? by User+956 · · Score: 4, Insightful

    He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved.

    Which is why, a lot of times, you end up with security theatre, instead of real security.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:do you want to check my shoes? by Kjella · · Score: 5, Informative

      And don't forget CYA security - security rules that aren't being followed and aren't being enforced either - but that exist solely so that when shit hits the fan, the bosses can say it was against policy. These are usually extremely draconian, impossible to implement or practicly impossible to follow while getting work done. But hey, it looks good on paper...

      --
      Live today, because you never know what tomorrow brings
  3. Ms Abacha? by Mr_Icon · · Score: 5, Funny

    Looking at the number of people falling for Nigerian scammers, I'd say that our ability to "estimate risk in an East African village" is not so hot either. :)

    --
    If you open yourself to the foo, You and foo become one.
  4. Humans Not Evolved for IT Security by Daimanta · · Score: 5, Funny

    Thank God I was intelligently designed for this kind of thing ;)

    --
    Knowledge is power. Knowledge shared is power lost.
    1. Re:Humans Not Evolved for IT Security by gammygator · · Score: 5, Funny

      That's because in Soviet Kansas, nothing evolves...

      --

      No Nyarlathotep, No Chaos
      Know Nyarlathotep, Know Chaos
  5. Bad Analogies Abound by eldavojohn · · Score: 5, Interesting

    "The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up." Wow, just ... wow. I'm not even a biologist but I know that's a terrible analogy. You can't compare the brain to software. We can control software and decide when it 'goes live,' there are no prototypes in nature or evolution. Every attempt is an iteration of the process and the process is never ending. Furthermore, the existence of an absolute of 'perfectly created' is debatable on any level in regards to any process or system.

    Exaggerate uncommon risks -- for example, air travel is safer than cars but because car accidents are common they are seen as less risky Maybe because everyone involved in an air plane crash usually dies. Automobile deaths are much less. There's this idea of risk = probability * impact. In the case of automobiles, probability is high but the impact is low. It's the other way around in aircraft failures.

    Personified risk -- Osama Bin Laden is scarier than a faceless threat How in the hell does this relate to IT security? I think IT administrators are more afraid of the people they don't know hacking their systems then the people they actually employ doing the same. In the end, I'm sure more attacks come internally or from an ex-worker than someone unknown. Maybe the face you know should be more scary than the face you don't at the office?

    Risks that could be controlled -- The DC sniper caused a few deaths but the response was way out of proportion. Please elaborate, I know of the John Lee Malvo incident but I have no idea how this relates to IT security. Are you telling me that shutting down a system to protect a database from a possible threat or virus is overkill? I would respond with that varying on a case by case basis but at my job, offline databases are worth maintaining the integrity of the data inside them.

    I know I'm really coming off as a jerk when I say this but I don't think this article helped me in anyway. All I saw was someone over simplifying a complex problem--thereby making them seem smarter to the people they were explaining it to.

    Don't read this article, it has nothing to offer you. If you don't know this subject, I believe this article will only add to your confusion and lack of understanding.
    --
    My work here is dung.
    1. Re:Bad Analogies Abound by SatanicPuppy · · Score: 5, Interesting

      This is actually a hot psychological topic right now; humanities tendency to poorly conceptualize risk. We're far more worried about diseases we're unlikely to catch, than ones we are. Plane crashes are scary because planes aren't familiar to most people; poor understanding of the risks magnifies fear. People always worry about the stereotypical malicious strangers, when most assaults come from people you already know.

      I think mostly he's just pointing all this out as background to the tendency to poorly appreciate risk. He's basically saying, "People apply more worry to splashy things that aren't likely to happen, and therefore we have these huge data breaches because who cares about SSNs when the terrorists could be blowing up a nuke plant?"

      The only place where I think he's totally off base is calling the brain "a patchwork". It's not, in fact. It's extremely finely tuned to do what we need it to do...It makes us ferociously competitive animals, and that is proven rather than disproven, by all the security problems that we've been having. If we weren't competitive, we wouldn't have problems. The fact that not everyone works at the same level is irrelevant.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  6. Stupid. by SatanicPuppy · · Score: 4, Insightful

    We're not evolved for space flight either. You can't apply "evolution" as a blanket to tool use at the level we've taken it; we have evolved a capacity for abstract thought which allows us to create highly complex tools...Saying that we're not evolved to assess risk on a level as abstract as this is disingenous...When was the last time a virus jumped out of your computer and ate you? There is no evolutionary pressure involved with such intellectual pursuits.

    It's perhaps more accurate to say that only a few people are capable of truly understanding this stuff at all, and for the rest it's just black magic. Of course they don't appreciate the risk. I guess B.S was trying to find a rational reason why people just categorically don't understand security when applied to technology, but I think it's more just that they're doing well to be able to use the tech at all. We're going to have to have a lot higher skill level among users before we can expect them to truly appreciate security.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  7. so what? by AxemRed · · Score: 4, Insightful

    We aren't specifically evolved do algebra either, and we (well, many of us) do a decent job at that. Humans are evolved to learn and adapt.

    1. Re:so what? by kebes · · Score: 4, Insightful

      We aren't specifically evolved do algebra either, and we (well, many of us) do a decent job at that. Humans are evolved to learn and adapt.
      Absolutely. But Schneier's point is not that it is impossible for humans to think rationally about IT security, but that it does not 'come naturally' to the average person. The same is true of algebra and other branches of mathematics: humans in general have very advanced knowledge in these areas, but it is still quite easy to construct a mathematical problem that will trip up a layperson, because most people are not formally trained in mathematics, and will incorrectly invoke "common sense" when solving a problem.

      The fact is that humans have an in-built "threat and probability analysis" system that was optimized to deal with "real world" situations like searching for food, avoiding predators, finding mates, etc. It is for this reason that gambling "works." People are easily tricked into believing that they can "beat the system" or "find a pattern." They believe that having rolled many sixes recently, they are "due for a 1 or a 2" even though the probability of rolling a particular number on a die is independent of previous rolls. This is because most of our in-built probability estimators assume chains of events are causally linked (which is a reasonable assumption in the "real world"--i.e. if it's been a long time since it has rained, it is indeed "due to rain soon").

      In the realm of security, Schneier identifies certain assumptions that our minds make, which are actually fallacies when it comes to modern security (e.g. that a commonly occurring risk is less important than a rare risk).

      We are not "built" to deal with modern security. As with advanced math, rather than rely on common sense (and its associated useless rhetoric) to set security policy, we need to have detailed arguments citing well-documented studies. We can indeed rise above our "programming," but far too many people don't bother trying--and continue to rely on common sense even when it is a demonstrably poor predictor.
  8. Smith by pete-classic · · Score: 5, Funny

    "Only human."
    --Agent Smith on IT security

  9. because people want the easy way by hobo+sapiens · · Score: 4, Insightful

    People want the easy way. Security and "the easy way" are often at odds.

    Case in point...I was in a hospital ER the other day, waiting in the room (for a very long time), and I looked at the computer in the room. I noticed that someone affixed a sticker to the keyboard tray with (presumably) the windows domain login info. Had I wanted to, I could have logged in and probably gotten to all kinds of medical records. Someone from the hospital's CIS department would probably poop a brick if he saw that.

    People are lazy, and security folks constantly have to toe the line between making things hard enough to be secure but not so hard that it's just easier to find the loopholes.

    --
    blah blah blah
  10. Just an excuse by Kohath · · Score: 4, Insightful

    Security solutions have to be designed around usability. If usability isn't the #1 or #2 consideration, it will increase the failure rate of the humans involved and you'll end up with an insecure system in practice regardless of the technical merits of the security methods.

  11. What a pile of carp by Roadkills-R-Us · · Score: 4, Interesting

    The real problems are, in no particular order:

    1) A lot of people are either stupid or uneducated.
    2) A lot of people don't bother to think.
    3) A Lot of people are sheep and believe what they're told by marketing.
    4) A lot of people are lazy.

    I guarantee you this covers the vast majority of the problems with IT security. It's not biological evolution, though you could make a good argument for societal devolution being the problem.

  12. Re:Stupid Crap by Quiet_Desperation · · Score: 4, Interesting

    which makes it difficult to use, then say that people are just too dumb to use it.

    That always amazes me to this day.

    IT GUY: Your PC is insecure.
    AVERAGE JOE: I don't really know how to properly secure it.
    IT GUY: Dumbfuck.

    Yeah, great approach. Gosh, why don't we teach kids that way?

    TEACHER: What's 147 divided by 7?
    FIRST GRADER: You haven't taught us division yet.
    TEACHER: Dumbfuck.

  13. Open letter to God by EmbeddedJanitor · · Score: 4, Funny
    Better luck with Humans V2.0.

    Anyway you should only trust Humans V1.0 after SP1 has been released.

    --
    Engineering is the art of compromise.
  14. Re:Stupid Crap by Sax+Maniac · · Score: 4, Funny
    What I usually see is this:

    IT GUY: Your PC is insecure.
    CEO: It's your job to secure it, dumbfuck. Give me a secure computer.
    IT GUY: Yes sir.

    --
    I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
  15. Re:Thanks Bruce, but call us when you're qualified by ifoxtrot · · Score: 4, Informative
    I don't usually respond to negative posts, but this is something I feel quite strongly about:

    1. You don't have to have a qualification in something to know enough to make an enlightened statement about a particular subject. If we were to restrict talking about the weather only to meteorologists, small talk would vanish overnight. In a more serious vein, interdisciplinary research would be even more difficult than it is now. Imagine having to have a qualification in both psychology and security to be able to publish research into this?

    2. A qualification is simply a piece of paper that has been accredited by some educational body, presumably recognising a standard of education in a particular field. Just because you don't have the piece of paper doesn't mean you don't have the knowledge. How do you know that Bruce Schneier doesn't, in fact, know as much (or possibly more) about evolutionary biology or behavioural psychology than yourself? Does the fact that I haven't studied engineering preclude me from having insightful discussions with an engineer? Do my opinions matter less because I don't have the degree? Does the fact that I have a PhD in computer security (and you presumably don't) mean that any opinion I state on the subject is somehow more valid because I hold the qualification and you don't?

    3. Bruce Schneier is eminently qualified to make statements about security (which is afterall a central aspect of his thesis). He has been conducting extensive research into psychological aspects of IT security (you can see a draft essay on the topic at http://www.schneier.com/essay-155.pdf). This research has included long discussions with psychologists and serious reviews of the literature. I would content that there are very few people on this planet that are truly as knowledgeable in both security and the psychology of security as Bruce Schneier is now. I would be equally interested in the views of a psychologist who undertook research into security -- I know only of a handful that have done so, and none have the particular angle that Schneier has adopted.

    4. That is not to say that everything the Schneier is saying on the topic is faultless, or that I agree with everything he says, but I'll debate the ideas, not the man. I personally find it objectionable to anthropomorphise an evolutionary process, or talk about the intent of evolution. But what do I know, I don't have a degree in evolutionary biology...

  16. Or in short... by pb · · Score: 4, Insightful

    "IT Security Not Evolved for Humans".

    --
    pb Reply or e-mail; don't vaguely moderate.
  17. Re:Lets think about this. by joto · · Score: 5, Interesting

    but in an era where there is (comparatively) little immediate threat to life, we are not overly prepared to deal with subtle threats to information or technology

    If somebody breaks into my computer, will I die? No. Will I become sick of temporarily disabled? No. Will I lose money? Possible, but unlikely, and in any case the insurance company will get them back for me. Should I therefore hire a security consultant? NO!

    I believe most people get this analysis right.

    We are prepared to react to predators that want to eat us and starvation, but ill prepared to deal with people that want to defraud us and steal possessions that may not be immediately with us.

    More importantly, we are unable to plan for long-term security. If the planets ecosystem is under attack from global warming, creating and/or spreading lots of new diseases (harming us, our food, or in some other indirect way), do we stop emitting pollutants contributing to global warming? No. Do we invest money into biological research and education so we can handle the new diseases? No. Do we invest significantly in technological countermeasures, such as painting Sahara white, building dams against floods or the rising ocean, or even storing CO2? No. Do we do anything at all? Not really, unless you count selling quotas to each other.