Bruce Schneier Talks Brain Heuristics and Security

ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."

Encryption and ease of use.

[Kelson]

At one point in the article, Schneier comments on email encryption:

"Over the years, no one used encryption" in email, he says. "It had nothing to do with the technology," but instead the ease of use, he says.

This is a good example, because encryption is in common use on the web. To the end user, using a website over an SSL or TLS connection is no different from using one in the clear. It's almost too easy, which is why browsers have lock icons, color changes, and "You are leaving a secure site!" messages.

Of course, the problem is slightly different, since HTTPS is all about protecting a client-server connection from eavesdropping, not protecting the data itself. Once the data reaches the server, the server is entirely capable of doing something boneheaded with it like saving it in plain text in index.html. Similarly, data sent to the client can easily be printed out and left face up on the car seat.

Client-server connections are easy to deal with, because the only people that need to manage them are the software developers and the admins managing the server. Similarly, it's trivial for an end-user to send/retrieve mail using a TLS-encrypted SMTP, POP3, or IMAP connection.

Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.

Re:Its all in your..

[Dark Kenshin]

I think that's the general synopsis of the book. If you really, really, really believe you are secure, then you are... till you get hit by a bus or something.

5 tough user-space factors

[G4from128k]

I see five factors that make the user-space side of security so hard.

1. Incentives: Most people, especially employees, don't face personal consequences when their PC is infected or the company database gets pwned.
2. Rarity: Most people see security problems as something that happens to someone else. That so few breaches are publicized only enhances the belief in the low likelihood of problems.
3. Hubris: Most people believe they know what they are doing.
4. Boredom: Ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click "Yes, Install."
5. Sociality: Most people are nice and assume that other people are nice too. They hold the door open for the social engineering intruder, they click on the "cool link", they open email that looks like it might be from someone important. Malware creators prey on our desire to "do the right thing."

Some of these five are easier to address but some reflect deeper realities about being human.

Re:Perception

[Yartrebo]

We also have a major bias towards catastrophic risks that we have no control over mundane risks that we think we have control of.

Take the risk of getting wiped out by an asteroid vs. the risk of getting framed and sent to prison. The former is far less likely (less than 1 in a million), but it also gets people a lot more scared. Your odds of being framed and sent to prison are greater than 1 in a 100 over a lifetime (at least in the USA, the odds are far lower in countries with lower incarceration rates), but it doesn't evoke the same kind of fear.

Re:Encryption and ease of use.

[owlstead]

"Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

That, and email encryption is mostly done either through soft-certificates or - more commonly - through PGP. There are hardly any mail systems that integrate PGP, although they are available as add on. Even so, I believe the user interface is still much harder than e.g. websites with SSL. Also, as you rightly said, end users not only have to manage a digital identify, most of the time they have to handle the other person's digital identities as well. E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.

Of course there is also SSL with client side authentication. Although this is very usefull for B2B transactions (web services), you will hardly see any uses for end users. Even though both Mozilla and IE have build in support (although the Mozilla version tended to be broken for a pretty long time, and the IE version also has its fair share of problems).

Re:People TRUST programs with a LOCK as their icon

[jonadab]

> Why do people trust complex programs with colorful symbols and logos more
> than a simple linux command, where you know what is going on?

Because end users *don't* know what's going on.

It's not a question of trusting something complex and inscrutable (proprietary security software) versus something simple and straightforward (open-source command-line software), but more a case of trusting something complex and inscrutable that looks well put-together and comes from a well-known maker, versus something complex and inscrutable that looks arcane and comes from nobody in particular.

Spend some time around end users, trying to understand their problems. It won't enable you to solve the problems, but it will help you understand what we're up against.