Reality check for security

Beyond Fear cover

Recently, I read Bruce Schneier's book Beyond Fear. It was quite an enlightening read: quite a few of the things the book was about were obvious in some intuitive level, but Schneier managed to formulate them in a logical manner. Even better, the formulation was very clear, consistent and easy to follow. Although the book was occassionally a bit tedious, it still was very entertaining to read, thanks to numerous examples. I especially liked those taken from the behavior or characteristics of different animals. Being both enlightening and entertaining is not very easily accomplished.

After a (somewhat populistic, at least from an European point of view) 9/11-intro, the book talks a lot about security risks, risk mitigation and trade-offs. It starts by analyzing situations where humans make subconscious security decisions such as crossing the street when the pedestrian light is red: when the pedestrian sees clearly that no cars approach, the trade-off of waiting for green light is too great for improved security of green light for most people (of course, the law-abideness of the pedestrian also has an effect on this). Analyzing these mundane antics is a good and clear way of introducing a formal security analysis system.

When the reader has gained some knowledge of basic security and the difference between true security and "security theater", Schneier moves on to analyze more complex security systems, such as the effect of spectacularity (media attention) or personification (as opposed to anonymity) of victims. It's clear why too powerful police force is actually a security risk to the citizens rather than a risk mitigation. A basic characteristic of technology is that it enables; restricting is much more difficult. This fact brings forth both good and evil: it will be difficult to secure a house, but it will be probably impossible to generate a totalitaristic computing platform even with a cute name like "trustworthy computing".

Schneier manages to stay politically neutral even with the touchy subject of terrorism, although I think there was quite severe critique towards the American foreign policy between the lines (paraphrasing, "after being mugged, no one accuses you of being in the dark alleys, but would it have been wiser not to enter them in the first place?"). As a side note, this is probably what the Finnish politicians and media should be considering about NATO: will joining mitigate threats or aggravate them? (Of course, before that one should ask "what risks?"...)

The book revealed a few rather bleak matters about the world. History shows that in the long run, terrorism does work. And quite a few of the people in charge of security decisions obviously cannot see the true value of their actions. Security cannot just be "placed" by adding security cameras, ID checks or other arbitrary policies, it must be planned. Maybe even more important point is that increasing security does not need to mean reduced liberties.

The average member of a yellow press audience scarcely is going to read the book, but it really puts different risks into perspective: it's 200 times more probable to be struck by a lightning than die of anthrax. Combined with critical analysis of sensational media makes the book even more informative. Security is not of any value per se and it should be applied with caution and where needed - exaggeration is easy, hence prevalent.

I would recommend the book to those in charge of security policies (even more, I would insist that they read it) and to everyone who just wants to know how different systems work. Security is not totally unlike other systems.

Categories: Literature
Posted by Matias at 07.12.2004 22.42 (12 years ago) | 1359 comments


Post a new comment

Will be displayed within an image file, hopefully undecipherable to address harvesters.

content licensed under Creative Commons BY-NC-SA - Valid HTML 5