Humans Not Evolved for IT Security

Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT. "He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"

Bad Analogies Abound

[eldavojohn]

"The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up."

Wow, just ... wow. I'm not even a biologist but I know that's a terrible analogy. You can't compare the brain to software. We can control software and decide when it 'goes live,' there are no prototypes in nature or evolution. Every attempt is an iteration of the process and the process is never ending. Furthermore, the existence of an absolute of 'perfectly created' is debatable on any level in regards to any process or system.

Exaggerate uncommon risks -- for example, air travel is safer than cars but because car accidents are common they are seen as less risky

Maybe because everyone involved in an air plane crash usually dies. Automobile deaths are much less. There's this idea of risk = probability * impact. In the case of automobiles, probability is high but the impact is low. It's the other way around in aircraft failures.

Personified risk -- Osama Bin Laden is scarier than a faceless threat

How in the hell does this relate to IT security? I think IT administrators are more afraid of the people they don't know hacking their systems then the people they actually employ doing the same. In the end, I'm sure more attacks come internally or from an ex-worker than someone unknown. Maybe the face you know should be more scary than the face you don't at the office?

Risks that could be controlled -- The DC sniper caused a few deaths but the response was way out of proportion.

Please elaborate, I know of the John Lee Malvo incident but I have no idea how this relates to IT security. Are you telling me that shutting down a system to protect a database from a possible threat or virus is overkill? I would respond with that varying on a case by case basis but at my job, offline databases are worth maintaining the integrity of the data inside them.

I know I'm really coming off as a jerk when I say this but I don't think this article helped me in anyway. All I saw was someone over simplifying a complex problem--thereby making them seem smarter to the people they were explaining it to.

Don't read this article, it has nothing to offer you. If you don't know this subject, I believe this article will only add to your confusion and lack of understanding.

It's the money

[ZonkerWilliam]

As a INFOSEC person, I see this kind of mentality on a daily bases. Still, there is a realization of the costs of outages due to attacks and that I see. Slowly but surely it's changing. Compared to evolutionary changes tho, it's a blink of an eye.

Re:Bad Analogies Abound

[SatanicPuppy]

This is actually a hot psychological topic right now; humanities tendency to poorly conceptualize risk. We're far more worried about diseases we're unlikely to catch, than ones we are. Plane crashes are scary because planes aren't familiar to most people; poor understanding of the risks magnifies fear. People always worry about the stereotypical malicious strangers, when most assaults come from people you already know.

I think mostly he's just pointing all this out as background to the tendency to poorly appreciate risk. He's basically saying, "People apply more worry to splashy things that aren't likely to happen, and therefore we have these huge data breaches because who cares about SSNs when the terrorists could be blowing up a nuke plant?"

The only place where I think he's totally off base is calling the brain "a patchwork". It's not, in fact. It's extremely finely tuned to do what we need it to do...It makes us ferociously competitive animals, and that is proven rather than disproven, by all the security problems that we've been having. If we weren't competitive, we wouldn't have problems. The fact that not everyone works at the same level is irrelevant.

What a pile of carp

[Roadkills-R-Us]

The real problems are, in no particular order:

1) A lot of people are either stupid or uneducated.
2) A lot of people don't bother to think.
3) A Lot of people are sheep and believe what they're told by marketing.
4) A lot of people are lazy.

I guarantee you this covers the vast majority of the problems with IT security. It's not biological evolution, though you could make a good argument for societal devolution being the problem.

Re:Lets think about this.

[Opportunist]

So that's why my common sense tells me I don't need to hide under my bed from the bad, bad terrorists, it's just that I can't see them anywhere and not that it's overblown hype.

I'm kinda scared now.

Re:Stupid Crap

[Quiet_Desperation]

which makes it difficult to use, then say that people are just too dumb to use it.

That always amazes me to this day.

IT GUY: Your PC is insecure.
AVERAGE JOE: I don't really know how to properly secure it.
IT GUY: Dumbfuck.

Yeah, great approach. Gosh, why don't we teach kids that way?

TEACHER: What's 147 divided by 7?
FIRST GRADER: You haven't taught us division yet.
TEACHER: Dumbfuck.

Re:Bad Analogies Abound

[Anonymous Coward]

Exaggerate uncommon risks -- for example, air travel is safer than cars but because car accidents are common they are seen as less risky

Maybe because everyone involved in an air plane crash usually dies. Automobile deaths are much less. There's this idea of risk = probability * impact. In the case of automobiles, probability is high but the impact is low. It's the other way around in aircraft failures.

This is a great illustration of how perception overrides reality. The fact of the matter is that most of the time an airplane crashes, everyone lives. The reason you don't know this is because crashes where everyone lives don't make the news. Airplane crashes are just like car crashes. There's a wide spectrum from "minor bump" to "flaming horrible death to all" and, just like car crashes, the majority of incidents are at the bottom of the spectrum. Unlike car crashes, people don't have any immediate experience of airplane crashes, and so they only see what gets on the news, and the only thing that gets on the news is stuff where a lot of people die.

Re:Bad Analogies Abound

[Vellmont]

The evolution argument is disproven by Schneier himself; how could he be thinking about it if we hadn't already evolved to make it possible?

Schneiere isn't humanity, he's just Schniere. One guy can have the skills and ability to do something, while the vast majority of others do not. Anyway, I think he's really trying to say that risk assessment of the modern world doesn't come naturally to people, like it did to risk assessment of being eaten by a tiger 100,000 years ago.

I don't know if the evolutionary theory about risk assessment is right, but I really doubt you do either. Neither of us have any data to show much of anything.

Anyway, I think you're trying to take his comments too far. It seems to me Schneire's ideas are really more of a way of thinking about why people are bad at assessing risk rather than a predictive theory that can be picked apart and examined. The ideas aren't really well developed enough for that kind of assessment.

east african village

[arbitraryaardvark]

I once heard Neal Stevenson give a similar talk. http://db.tidbits.com/article/05951 [tidbits.com]
He drew pie charts labled "threat model" where 99% of the chart was "hyenas."
Today, our threat models are a bit more complex.
http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP2K.html#Steph [anu.edu.au]

junpei wikipedia [wikipedia.org]

Re:Lets think about this.

[joto]

but in an era where there is (comparatively) little immediate threat to life, we are not overly prepared to deal with subtle threats to information or technology

If somebody breaks into my computer, will I die? No. Will I become sick of temporarily disabled? No. Will I lose money? Possible, but unlikely, and in any case the insurance company will get them back for me. Should I therefore hire a security consultant? NO!

I believe most people get this analysis right.

We are prepared to react to predators that want to eat us and starvation, but ill prepared to deal with people that want to defraud us and steal possessions that may not be immediately with us.

More importantly, we are unable to plan for long-term security. If the planets ecosystem is under attack from global warming, creating and/or spreading lots of new diseases (harming us, our food, or in some other indirect way), do we stop emitting pollutants contributing to global warming? No. Do we invest money into biological research and education so we can handle the new diseases? No. Do we invest significantly in technological countermeasures, such as painting Sahara white, building dams against floods or the rising ocean, or even storing CO2? No. Do we do anything at all? Not really, unless you count selling quotas to each other.