Monday, November 15, 2010

TEDxPSU - Bruce Schneier - Reconceptualizing Security

Let me restate some ideas from this presentation.

In the real world there are dangers and actions which can be taken to reduce or eliminate those dangers. We react to the real world conditions emotionally. Schneier stresses the emotional reaction to the danger, but I would add that there are also emotional reactions to the means of dealing with dangers. (Some people react emotionally to police in ways that interfere with the accuracy of their perception of the efficacy of policing as a means of dealing with danger.) We also use intellect to react to danger and to choose ways to react to danger. Schneier is very good on what we know about cognitive bias in the intellectual models we make of the real world dangers and actions, although he can not do justice to the topic in a brief discussion. For example, I think there is a difference between our being "risk adverse" and our being "loss adverse" although both biases can reduce the quality of decisions.

I like Schneier's differentiation between security measures and security theater. Security theater is meant to influence our emotions and our models. I would say that good security theater has the effect of bringing our perceptions closer to reality and bad security theater is meant to distort our perceptions from reality. Bad security theater is perpetrated by people who would sell us products that promise more security than they deliver. Those products can be commercial products, but I would say that the Bush administration also perpetrated some bad security theater with respect to the threats of terrorism or of weapons of mass destruction in Saddam's Iraq.

Schneier makes a great point that our emotional response can be conditioned by our intellectual model of dangers and actions, and that often with time our models disappear from our consciousness leaving us simply to perceive our emotional response.

I would draw the conclusion that we want to work to make our intellectual models as good as possible and to use effective analytic means to draw conclusions from those models. Schneier suggests that we know a lot about our local risks, but my experience on a local Grand Jury dealing with scores of people accused of local crimes made me aware that my intellectual model of local crime risk was seriously deficient. Awareness of common cognitive biases can be used to help overcome those biases.

While we can individually analyze security theater to help judge whether it is benign or malicious, we can also consciously seek factual evidence to improve our intellectual models. We need help from the news and other other media to brand bad security theater from government as we have help from the government to protect us from bad security theater from the private sector (false advertising, false claims for drugs and medical treatments).

No comments: