Beyond Fear

According to Bruce Schneier, one of the foremost experts on security in the world (and a top executive at BT), security is both a feeling and a reality. And those two things, though related, are definitely not the same.

Solving complex security problems is about breaking them into smaller and simpler steps. He’s developed five key questions that put all security choices – made by governments, companies or individuals – into context, showing the trade-offs that are required and their consequences.

Security is an amalgam of emotion and rationality

Schneier believes the reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, for example, based on factors like the crime rate in your neighbourhood and whether you lock your doors or not. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or at home by a family member. Or how likely you are to suffer identity theft. Given enough statistics, it’s not even hard – insurance companies do it all the time.

We can also calculate how much more secure a burglar alarm will make your home, or how well a credit freeze will protect you from identity theft.

But, Schneier argues that security is also a feeling, based not on probabilities, but on your psychological reactions to both risks and countermeasures. You might feel terribly afraid of terrorism, or you might feel it’s not worth worrying about. You might feel safer when removing your shoes at airport security gates, or you might not. You might feel you’re at a high risk of burglary, medium risk of murder, and low risk of identity theft. And your neighbour, in the exact same situation, might feel that he’s at high risk of identity theft, medium risk of burglary, and low risk of murder.

Or, more generally, you can be secure even though you don’t feel secure. And you can feel secure even though you’re not. The feeling and reality of security are certainly related to each other, says Schneier, but they’re just as certainly not the same as each other. In fact, we’d probably be better off if we had two different words for them.

Schneier, who is also Chief Security Technology Officer of BT, has written a book – called Beyond Fear – that investigates how people and companies can deal with a complex thing like security.

A five-step approach

Schneier seeks to demystify security, by breaking it down into smaller and simpler steps. He has developed a five-step process to analyse and evaluate security systems, technologies and practices. Each of the five steps contains a key question that helps you focus on your particular security choices, whether the purchase of new security software or the company-wide implementation of specific countermeasures. The five questions help you determine which kinds of security make sense and which don’t.

1, What are you trying to protect?
This question might seem basic, but a surprising number of people never ask it. Answering the question effectively means understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system and a nation against terrorism are all different security problems requiring different solutions.

2. What are the risks to those assets?
Here Schneier considers the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it and why.

3. How well does the security solution mitigate those risks?
Another seemingly obvious question, but one, Schneier believes, that is regularly ignored. If the security solution doesn’t solve the problem, it’s no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.

4. What other risks does the security solution cause?
This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, Schneier says, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.

5. What costs and trade-offs does the security solution impose?
Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.

Schneier applies these five questions to some of the critical security challenges faced today, examining, for example, the debate about the need for national ID cards and countering the terrorist threat, among other issues.

He delivers some surprising and often counter-intuitive conclusions and argues that, contrary to popular belief, security is not mysterious, nor even hard. What is hard is separating the hype from what really matters.

Schneier invites his readers to move beyond fear and to start thinking sensibly about security. He shows that security is much more than CCTV, armed guards or having photo IDs in every wallet or purse. He shows that expensive gadgets and technological cure-alls often obscure the real security challenges.

Bruce Schneier’s non-alarmist, straight-talking, sensible approach is a welcome antidote to much of the hyperbole spouted by other security experts. It needs to be read by every government official and company manager who is responsible for making choices about security.