Bruce Schneier, a security expert, posted a characteristically stimulating think-piece on his blog yesterday. Ostensibly, its purpose was to promote an acceptance of "security engineering" as a specialist discipline. Its effect, however -- on me, at least -- was to underline how much we remain slaves to our gut instincts, both when it comes to IT security and on other pressing technological issues.
It's high time we checked our hunches at the door.
Schneier kicks off by demonstrating -- I'd say convincingly -- that our intuitions about security screening at airports don't stand up to serious examination. He goes on to explain that feeling secure, while it's a real enough psychological state, is not the same as being secure. Knowing how secure we are -- as individuals or enterprises -- is achievable. Risk assessment is a data-based science.
This goes against deep-seated instincts, of course. Crossing the street is much more dangerous than flying, but few are panicked by the former, and many by the latter. It turns out to be remarkably difficult to put our faith in the data, and not just when it comes to security.
What we're dealing with, yet again, is the general problem of "system 1" versus "system 2" thinking, as defined by the Nobel prize-winning psychologist Daniel Kahneman. "System 1" thinking evolved because it's fast, easy, and -- in primitive environments -- effective. The complexity of the modern world, not to mention the modern security environment, benefits from "system 2" thinking: logical and based on data (facts).
Unfortunately, it's easy to reel off a list of topics where "system 1" thinking (which has strong political appeal, too -- think "sound bites") is retarding progress on some important technology-related questions.
Intellectual property
"System 1" thinking says: If I invented it, it's mine; you need to pay me to reproduce it or use it. "System 2" thinking introduces all kinds of complications. If it's mine now, how come my ownership expires after a certain period? Is it truly detrimental to me -- or actually a benefit -- to have my intellectual property distributed widely? If we're so wired about copyright, how come we're all using tools that make copying and sharing other people's work easier than ever?
Business intelligence
"System 1" thinking says: You're an experienced manager, and you have been in this situation before. Do what always works. "System 2" thinking should persuade us that situations evolve rapidly in real-time, that the data desribes the situation more accurately than our gut feeling, and that predictive analytics are a better guide to decision making than what happened to work in the past.
Cybercrime
Back to Bruce Schneier. A week ago, he posted a short note on his blog under the heading "Exaggerating Cybercrime," linking to a lengthy critique of the $1 trillion figure often bandied about as the annual cost of cybercrime. Schneier is correct, of course, to applaud the application of "system 2" review to what is essentially yet another sound-bite. It would be way too neat if $1 trillion were the right figure.
The only problem is the critique doesn't tell us what the correct figure is -- and it's possible nobody knows. This doesn't stop the enterprise applying data-based, "system 2" thinking to the security environment.
Understand the value of the information on your networks. Apply a cost-benefit analysis when estimating the risk of loss. Monitor systems to identify suspicious activity. Analyze and understand breaches when they take place.
"Security engineering" is a challenging alternative to "feeling" secure, or indeed "feeling" insecure, but it's the rational option.
KD="the critique doesn't tell us what the correct figure is -- and it's possible nobody knows."
to get a cost analysis you would need a lot of estimates related to the "intangible" costs.
If a crook transfers 500 bucks from your credit card to a bank in the Ukrane,-- well-- you're out 500 bucks. right?
what about your time? anxiety? what cost of problem analysis for the bank?
if Team GhostShell posts all your customers' UserIDs and passwords on Pastebin how many hours are required to get everyone a new password? what is the damge to your reputation worth?
a couple furms that dealt in x.509 certificates went out of busness as a result of getting hacked...
how many hours will we spend in the US checking security, patching, testing, worrying ??
I don't see any way to even estimate the problem.
much of the software we use today was never designed to be secure; it is not suitable to the purpose for which we now apply it. and many procedure we use today werre designed for pen and ink and are wholly un-suitable in a high speed electronic environment
Our intuition tells us we should load up on fatty, calorie-rich foods, and be as sedentary as we can, because we evolved during frequent famines. Our intuition tells us to start at noises because the noise might be a big predator that thinks we are crunchy and good with ketchup.
Now, these very intuitions are literally killing us, with obesity and stress contributing to heart disease.
I think I have to call you on the carpet for a bit of System 1 there yourself. We pass by and through construction all the time, where that start reflex is very much relevant to safety and survival. I live in the Cicago area where (sadly) there's been a lot of recent attention to the murder rate in areas in and around the city.
A reflex response to loud noise may raise our stress levels. But it is *still* a relevant survival mechanism.
Which raises another point: Just because a given stance or intuition may stem from a no-longer-relevant situation, that does not mean that the stance or intuition itself is no longer relevant. It *can* guide us to a better one.
Kim - it's a big book, and if I wasn't just finished re-reading it, while taking notes for a course in graduate school, I probably wouldn't remember either. That said, it's a fantastic book.
A question central to Kahneman's book is which places to rely on hunches and which places it is foolhardy to do so. The issue is that by understanding the situations in which our minds deceive us, we can better tell them two apart - and know which way our error is likely to lie, by over or underestimating the relevant quantity or risk.
Whether the data exists or not, we can save ourselves time by appreciating whether our estimates are accurate to within an order of magnitude (How many oranges will I eat this week?) or likely to vastly underestimate (What are the odds of dying of a heart attack or stroke) or overestimate (What are the odds I will be killed in a terrorist attack) a risk.
From page 20-21 of the book: "I adopt terms originally proposed by the psychologists Keith Stanovich and Richard West... The labels of System 1 and System 2 are widely used in psychology, but I go further than most in this book."
Of course, 'system 1' thinking continues to be of evolutionary benefit when there's a big rock coming our way, or a car going through a red light, or there really is a tiger in the room. We just need to know when to set it aside.
I certainly agree that it would be wrong to reify these two methods of thinking, or to imply that there's a determinate barrier between them. At the same time, examples of how we reach conclusions by using intuition, which on reflection are obviously false, are so plentiful that I think the distinction serves a heuristic purpose.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
As companies begin to embed real-time business analytics and business intelligence in their operations, they'll need more than 24/7 availability. Companies will also need to include BA and BI in their disaster recovery plans.
Smartphone users are aware that their systems are open to possible security breaches. But NPD Group found that more than 82 percent of them do not have any security software on their phones. That's just dumb.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
