Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:35 AM
Connect Directly

Schneier: In Touch With Security's Sensitive Side

Security icon's latest work explores the psychology, brain chemistry of security

Cryptologist and now, psychologist: Renowned security expert Bruce Schneier once again is turning security on its head -- literally. Schneier will share his latest research and insight at the RSA conference next week on the interplay between psychology and security. (See Schneier On Schneier.)

Schneier says the goal of his talk at RSA is not to discuss security technologies or tactics, but to explain how people think, and feel, about security. "A lot of the time at RSA, we are just puzzled why people don't secure their computers, and why they behave irrationally. Psychology has a way of explaining this," he says. "If we in the [security] industry expect to build products, we need to understand our customers."

The focus of Schneier's latest research -- which he says could culminate in his next book -- is brain heuristics and perceptions of security. He says security is both a reality and a feeling, with reality based on probability and risk, and feeling based on your psychological reaction to risk and "countermeasures" to security threats.

Often, our perception of risk doesn't match reality, and neuroscience can help explain this, he says. Perception of risk is often seared into our brains. Schneier says people are typically more afraid of flying than driving, for instance, even though statistically it's safer to take the plane. The brain's two systems of assessing risk -- the amygdala (in charge of processing senses like anger, avoidance, fear), and the neocortex, which gives us analytical processing -- don't really work in concert when it comes to perception versus reality of security.

Trouble is, it's difficult for the netocortex to "contradict" the amygdala, he says. The neocortex is a "newer" part of the brain that is still evolving, he notes. And the neocortex is the part of the brain that makes decisions on security "tradeoffs," he says. So sometimes, we make security decisions based more on emotion or perceptions than logic.

"Security is both a reality and a feeling," Schneier writes in a paper he'll be making public soon. And you can be secure even if you don't feel that way, or you can feel secure even if you're not, he notes.

Not many (if any) security experts weigh psychology into the equation, but then again, Schneier is not just any security guru. His work started as a cryptographer and has since evolved into an expert on everything physical security, including airport and school security. Schneier is also the the bestselling author of Applied Cryptography (as well as other books) and BT Counterpane's top security guy.

Schneier says the trouble with vendors missing the psychological component in security is that their products then fail. "The RSA show floor is filled with products that nobody uses. They don't install, they configure badly, or they don't actually work," he says. The user/human interface aspect of a product is more important than the technology, he says.

"Our problem as technologists is we can't pretend people don't exist. We must build security for people," he says.

He admits the human interface aspect of security products has improved. But security doesn't have the best track record in getting in touch with the person behind the user: email encryption, for example, didn't take off. "Over the years, no one used encryption" in email, he says. "It had nothing to do with the technology," but instead the ease of use, he says.

So how do you get into security customers' heads? Schneier says it's really not that hard. "The ways that they think about security decisions is actually very rational and predictable if you understand" the underlying brain heuristics and psychology, he says. "It's not 'look how dumb people are' but 'look how clever the brain is,' " he says. Getting a handle on brain heuristics can also help understand how attackers take advantage of them, too, he says.

The flip side of this: How can security customers make sure they don't make bad security decisions that are based on incorrect perceptions?

Schneier says he doesn't know if you can change brain chemistry for this. "My belief is that making you aware of it goes a long way," he says. "If you can understand you are just reacting from fear, you have a better shot at…understanding these human biases. Hopefully you can short-circuit them and improve on them and make it so we are not slaves to this," he says. "Fear is brain chemistry, but so is reason. We have to figure out how reason can trump fear."

If anyone can solve that puzzle, it's Schneier.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
PUBLISHED: 2020-04-05
PRTG Network Monitor before allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.