24 April 2008

Schneier calls for curtains on ‘security theatre’

Eleanor Dallaway , reporting from Infosecurity Europe 2008

Vendors invent self-serving security models which make customers believe they need their product to eradicate a security threat that doesn’t exist, Bruce Schneier told a full theatre at Infosecurity Europe, 23 April.

Schneier, of BT Counterpane, spoke of what he termed ‘security theatre’, the difference between the reality of security and the feeling. “The world of security is overloaded with different meanings”, he began, “Security is a trade off, you need to spend money, time, liberty, to get security. But are the security measures worth the trade off?” For example, although a bullet-proof vest is an effective form of protection, it’s not worth the comfort, fashion and convenience trade-offs that would need to be made to wear it all the time and achieve security, he stated.

“Humans are pretty bad at knowing what security trade-offs to make”, Schneier argued. “And that’s because we make decisions based on the feeling of security, not the reality. We tend to exaggerate rare risks, and believe that the unknown is riskier than the known – which isn’t true. If our feeling of security is less than the reality, it results in paranoia and insecurity”.

Schneier indicated that security can be broken down into three concepts; the feeling of security, the reality, and the security model. “Security models come from the media and elected officials. Other models come from science but are screened by the media”.
Schneier also introduced the idea of agenda – which when injected into a security trade-off make no sense at all. “Stakeholders with agendas will try to sell a security model to make you buy their product. For example, cigarette companies tried to sell a model which said ‘smoking is healthy’”. This is a clear example of a model in which reality and feeling are far apart. If people feel secure, even if they’re not, they will happily buy into this model, Schneier said. "Do security products really make your business safer, or just make you think it's safer?" he asked delegates.

“Feeling, reality and model might not always be compatible. And fixing feelings is the short-term fix. The long-term fix however is to move the model closer to reality, and slowly feelings will follow”.

Security theatre may be needed when people’s fear is higher than reality. When risk is low and fear is high, making people feel better will be beneficial, argued Schneier. One example of security theatre he gave is tamper-resistant caps for over-the-counter medicines, which were introduced in the wake of tylenol-tampering incidents in the 1980s. The packaging is more security theatre than an effective countermeasure, someone intent on tampering with the contents could use a syringe, but the packaging served to bring people's feelings about security more in line with reality, he said.

“Savvy security needs to assess both reality and feelings” Schneier concluded. “People don’t like to listen to anything that contradicts their own model, but we have to keep talking about reality and give people an alternative model”.

News index