https://www.schneier.com/essays/archives/2007/01/in_praise_of_securit.html
As I'm also a great fan of "security theater" I got all excited when I saw the title, but sadly it turns out to be all about completely sensible things.
"Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they're a cost-effective security measure or not."If the reality of security is based on probability then it cannot be essentially mathematical, because probability is not essentially mathematical. Probability is essentially epistemological: it is a question of what we know. The fact that we use "objective" mathematics to calculate probabilities is not sufficient to make what we know real. Our knowledge is only real when we know how or why it is that we know what we think it is we know. Taking Schneier's example here: we need to know how we know those statistics about baby abductions from hospitals were arrived at before we can make a judgement as to the probability that some particular baby will be abducted.
"But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don't feel secure, and you can feel secure even though you're not really secure."Then later he writes, of security theater:
"It's only a waste if you consider the reality of security exclusively. There are times when people feel less secure than they actually are. In those cases -- like with mothers and the threat of baby abduction -- a palliative countermeasure that primarily increases the feeling of security is just what the doctor ordered."Schneier is clearly taking probable cost-effectiveness of security measures as the measure of the "reality" of security, which is unsupportable, and he would have known this if he'd discussed it with any woman. The first thing she would have asked him would have been "And how do you measure the cost to the mothers whose babies are abducted, or their families or the abducted child?"
What Schneier is talking about is not security at all, it's just insurance. These are the sorts of questions a big insurer employs actuaries to calculate. And a smart security consultant will be able to do these calcs too, and figure, ... "Well if I tell people this and that about security, the probability of my losing the right to professional endemnity insurance when my insurers have to pay out more than MAX million dollars is ... and if this is a Poisson distribution, and I retire in 5 years ... OK." Martha, write this report for the West Hollywood Maternity Hospital: the baby RFID tag alarm system is not real security because blah, blah, copy that from the report I did for the Baltimore District Hospital Administration last year."
So, what I've learned from Bruce is what real security really is, and I don't doubt for one minute that he's right. As Aristotle wrote in one of ethics texts, I forget which, money becomes a measure of all things. But what a shame. It doesn't have to be like this, you know.
Real security is actual knowledge, not of risks, but of the probability of the effectiveness of the countermeasures that are in effect against the known risk. We don't need to know anything about the probabilities of the perceived risks becoming actual events, otherwise all security would cease to be real once the countermeasures to the risks were widely employed: because the risks would fall and the cost-effectiveness of the measures would go negative.
Now, if I can just figure out a way to make a shit-load of money as a security consultant .... maybe Bruce can help?
Ian
P.S. The wandstrassewolf just told me "No man, you make the same fuckin' mistake every time. You think these people are smart, don't you? Asshole! Fuck-em harder, man! They 'aint gonna think of this shit 'till you tell 'em about it."
OK, OK, take it easy, here's some nice Bolivian coke, ..., better now? Good.
So, what we need to think about, when we do cost-benefit analyses of security, is this:
- What event are we most afraid of?
- What is the cost to us if that event occurs?
- What is the most effective counter-measure to neutralize that threat?
- What is the cost of affecting this countermeasure?
- What is the probability that this counter-measure will fail?
Oh man! You don't get it do you? As far as these dumb fucks are concerned, you're the fuckin' threat, asshole! You gotta' tell'em it's the global economic collapse, and then you gotta tell'em what that costs, because they won't be able to figure that out for themselves, it's way too hard. I mean, these guys are runnin' their fuckin' economic models to show how their system handles four big banks going down on the same day.
But, Mr. Wolf, what big teeth you have!
No comments:
Post a Comment