Beyond Fear
Full Title of Reference
Beyond Fear: Thinking Sensibly about Security in an Uncertain World
Full Citation
Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (2003).
Categorization
Overview: Books
Key Words
See the article itself for any key words as a starting point
Synopsis
This book explains how we all can think sensibly about security. In today's uncertain world, security is too important to be left to others. Drawing from his experience advising world business and political leaders, Schneier demonstrates the practical -- and surprisingly simple -- steps we can all take to address the real threats faced by our families, our communities, and our nation.
Security is not mysterious, Bruce Schneier tells us, and contrary to popular belief, it is not hard. What is hard is separating the hype from what really matters. You already make security choices every day of your life, from what side of the street you walk on to whether you park your car under a streetlight. You do it naturally. This book guides you, step by step, through the process of making all your security choices just as natural.
Schneier invites us all to move beyond fear and to start thinking sensibly about security. He tells us why security is much more than cameras, guards, and photo IDs, and why expensive gadgets and technological cure-alls often obscure the real security issues. Using anecdotes from history, science, sports, movies, and the evening news, Beyond Fear explains basic rules of thought and action that anyone can understand and, most important of all, anyone can use.
Schneier analyzes a security scenario using a five step process to determine if a particular solution is effective and worth its cost. He uses this analysis to separate effective security measures from "security theater," measures which give the illusion of providing increased security without actually reducing risk.
The five-step process is useful for evaluating personal security decisions, but many security decisions involve a variety of players--each with his own agenda. Your ability to take control of important security decisions is often severely limited, but you do have some control. As a citizen, you can effect some changes in security practices with your vote. As a consumer, you effect others with your wallet. As a technologist, you can invent something that changes security. And, if you have some measure of money and freedom, you can change your environment even if that means relocating yourself. Making changes in security arrangements is also achieved through negotiation. Using mechanisms like insurance and laws that enforce liability, individuals can secure some measure of power in determining what kind of security will be available to them.
I started this book saying that people make security trade-offs based on their individual agendas, both for security and non-security decisions. When faced with a security countermeasure, you have to evaluate its effectiveness in mitigating your personal risk in your personal situation, and then you have to determine what the trade-offs are and if they're worth it to you. The five-step process is designed to focus on the specific aspects of security you need to understand in order to make one basic decision: Is the security countermeasure worth the trade-offs? Again, here are the steps:
Step 1: What assets are you trying to protect? Answering this question is essential because it defines the system under consideration. So much of the bad security surrounding us is a result of not understanding exacdy what is being protected and of implementing countermeasures that move the risk around but don't actually mitigate it. And remember, often it's not simply a set of physical assets that are important, but particular functionalities of those assets. The assets that need securing are really a system, and you won't be able to protect them unless you understand what they are, how they work, and what aspects of them the attackers are after and why.
Step 2: What are the risks against these assets? Answering this question means understanding the possible threats against the assets. Understanding this, in turn, involves analyzing the attackers and their goals and, finally, the attacks they might launch to achieve those goals. A full understanding of the risks requires determining how likely the various threats are, as well as their ramifications. Answering this question also requires evaluating how technological advances might affect potential attacks and attackers, and how that in turn might affect the risks.
Step 3: How well does the security solution mitigate the risks? Answering this question requires an understanding of how the security countermeasure protects the assets against the risks and, more important, what happens when the security solution fails. As we've seen, answering this question can be very complicated. A countermeasure can mitigate the risk completely, partially, or not at all. A countermeasure can be more effective against one particular attack (or one particular type of attacker) and less effective against another. A countermeasure can fail both passively, by allowing an attack, and actively, by blocking legitimate access to the assets being defended. Being able to answer this question well means you're getting at the heart of security.
Step 4: What other risks does the security solution cause? Answering this question requires you to understand how the countermeasure interacts with other countermeasures, and how the security countermeasure works within the context of the overall system in which it is embedded. Almost all security countermeasures cause additional security risks, and it is vital to understand what they are.
Step 5: What trade-offs does the security solution require? Answering this question requires you to understand how the countermeasure interacts with everything else: with all of the non-security components of the system. All countermeasures affect the functionality of the assets being protected. All countermeasures affect other systems. All countermeasures have a cost: not necessarily financial, but in terms of convenience, usability, freedoms, and so on. These trade-offs may have nothing to do with security, but often they are more important than security.
Of course, that result won't remain optimal forever; you'll revisit it again and again over the years. You may modifY your answer over time, based on new information about risks, or new realizations about what trade-offs you're willing to accept, or new technology that becomes available, or changed financial circumstances or ... the list goes on. The point is, security is never done; it's a never-ending process.
Security is more than important; it's an essential and inevitable part of who we are. Because it can never be absolute and static end rigid, it's helpful to think of security as a game--but one that never ends, and one with the most serious consequences. We have to be resourceful, agile, alert pleyers, We have to think imaginatively about our opponents. And we have to move beyond fear and realize that we live in a world in which risk is inherent and failures are inevitable. Thinking sensibly about security requires that we develop a rational sense of the numbers underlying risks, a healthy skepticism about expertise and secrecy, and a realization that a good deal of security is peddled and imposed and embraced for non-security reasons.
Security is a tax on the honest. If it weren't for attackers, our lives would be a whole lot easier. In a world where everyone was completely honorable and law-abiding all of the time, everything we bought and did would be cheaper. We wouldn't have to pay for door locks, police departments, or militaries.
- Schneier Risk Demystification: Numbers matter, and they're not even that difficult to understand. Make sure you understand the threats. Make sure you understand the risks. Make sure you understand the effectiveness of a security countermeasure and all of the trade-offs. Try to think of unintended consequences. Don't accept anyone saying something like: "It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it." That's patent nonsense, and what someone living in fear says; you need to move beyond fear and start thinking about sensible trade-offs.
- Schneier Secrecy Demystification: Secrecy is anathema to security for three reasons: It's brittle, it causes additional security problems because it conceals abuse, and it prevents you from having the information you need to make sensible security trade-offs. Don't accept anyone telling you that security requires keeping details of a security system secret. I've evaluated hundreds of security systems in my career, and I've learned that if someone doesn't want to disclose the details of a security system, it's usually because he's embarrassed to do so. Secrecy contributes to the "trust us and we'll make the trade-offs for you" mentality that ensures sloppy security systems. Openness demystifies; secrecy obscures.
- Fear is the barrier between ignorance and understanding. It's paralyzing. It makes us fatalistic. It makes us do dumb things. Moving beyond fear means freeing up our intelligence, our practical common sense, and our imagination. In terms of understanding and implementing sensible security, moving beyond fear means making trade-offs openly, intelligently, and honestly. Security is a state of mind, but a mind focused on problem-solving and problem-anticipating and problem-imagining. Security is flexible. Fear is also a state of mind, but it's brittle. It results in paranoia, paralysis, and bad security trade-offs.