MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Schneier on Security: The War on the Unexpected. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Schneier on Security: The War on the Unexpected
by Decius at 9:24 am EDT, Nov 1, 2007

Someone sees something, so he says something. The person he says it to -- a policeman, a security guard, a flight attendant -- now faces a choice: ignore or escalate. Even though he may believe that it's a false alarm, it's not in his best interests to dismiss the threat. If he's wrong, it'll cost him his career. But if he escalates, he'll be praised for "doing his job" and the cost will be borne by others. So he escalates. And the person he escalates to also escalates, in a series of CYA decisions. And before we're done, innocent people have been arrested, airports have been evacuated, and hundreds of police hours have been wasted.

How LED signs become a national emergency. Probably one of the most accurate things Schneier has written on anti-terrorism security. There are some interesting links from this article, including a campaign urging people to report suspicions of child abuse that simply shows a man holding hands with a child along with the text "It doesn't feel right when I see them together" and a phone number.

Fear is the new Comfort
by noteworthy at 8:49 pm EDT, Nov 1, 2007

Decius wrote:

How LED signs become a national emergency.

The story here doesn't strike me as particularly novel. The underlying lesson is that security is all about incentives. We've been talking about that here for a long time now. Let's take a walk through the archives:

Workshop on Economics and Information Security, from January 2002:

Many system security failures occur not so much for technical reasons but because of failures of organisation and motivation. For example, the person or company best placed to protect a system may be insufficiently motivated to do so, because the costs of system failure fall on others. Such perverse incentives raise many issues best discussed using economic concepts such as externalities, asymmetric information, adverse selection and moral hazard. They are becoming increasingly important now that information security mechanisms are not merely used to protect against malicious attacks, but also to protect monopolies, differentiate products and segment markets. There are also interesting security issues raised by industry monopolization and the accompanying reduction in product heterogenity. For these and other reasons, the confluence between information security and economics is of growing importance.

This workshop continued; in 2004 I cited the Third Annual Workshop on Economics and Information Security, which posed such questions as:

Can market forces ensure that firms will act to improve security?

Later that year, we enjoyed Old-school British anti-piracy ads, including one that encourages you to rat out your school teachers for cash.

Earlier this year I recommended Anderson's 2001 paper about Why Information Security is Hard. This is always worth reading, and now seems like as good a time as any. I'm still loving the quote from 1849, about first-class and third-class carriage service:

Having refused the poor what is necessary, they give the rich what is superfluous.

Bruce's "CYA decisions" are the superfluous trappings of the rich. Fear is the new Comfort.

Also, I note another recommendation, from last year, about Costs and Consequences of Transformation and Transparency:

The economics of ‘information-rich’ environments inherently inspire perverse incentives that frequently generate unhappy outcomes.

The context is slightly different but the message is quite applicable:

Any objective review of private sector experiences with digital transformation offers RMA champions evidence more sobering than inspiring. The potentially enormous benefits of net-centric transformation should be valued only in the context of their potentially enormous costs. These cost-benefit ratios have not been adequately assessed. The fundamentalist dogma of the RMA transformation ideology recalls the aphorism, “Be careful of what you want because you’re sure to get it.”

There is also Nassim Nicholas Taleb and his Black Swans:

Many hedge fund managers ... are just picking up pennies in front of a steamroller. And sometimes the steamroller accelerates.
In a world of Black Swans, the first step is understanding just how much we will never understand.