People are NOT computers
by Perry Carpenter, More posts from Perry Carpenter
Thu, 2007-08-02 19:58
Topic(s): |

I’m in Vegas this week attending BlackHat and DefCon..  This is my first time for both; and I’m thoroughly enjoying it.
 
Today I was able to sit down for a few minutes with Bruce Schneier.  Bruce describes his career in the security field as, “a series of generalizations” beginning with cryptography and leading to his current fascination with economics and psychology and their relationship with security.  His topic his BlackHat keynote this morning was “The Psychology of Security.”  Much of the content for his presentation was based on his earlier essay, The Psychology of Security, available here.

During Bruce’s keynote, he referenced numerous studies that all pointed to one inescapable conclusion:  people are a whole lot less predictable than we think.  They simply make illogical choices.  Is this new information?  Not really; but his reason for brining this information to our attention is because technical folks (e.g. InfoSec professionals) generally treat each decision as a technology decision. 

 “People are NOT computers,” Bruce states, and security the security industry needs to account for that.  Bruce expands by making the point that the security industry needs to acknowledge this fact and act accordingly.  He’s taken a step back from his previous condemnation of ‘security theater’ (processes and actions made more for the purpose of appearing secure rather than actually making something appreciably more secure). 

I realize that there is an ongoing debate related to the effectiveness of security awareness efforts.  But, I think that an acknowledgment of the fact that people are generally the weakest link, coupled with their inherently unpredictable nature makes the point that security awareness is one of the single most important aspects of a security program.  It also shows us that we cannot allow information security to be an island in-and-of itself.  Security professions need to be multi-disciplined – learning from industries that have been implementing psychological tactics for years (Marketing immediately comes to mind…).

Something to look forward to:  Bruce briefly mentioned that he is planning an upcoming workshop that will allow security pros to delve deeper into this topic to better understand the ramifications. 

 

     ...Maybe security professionals need *human behavior* awareness training... 
 
Thoughts? 

» read more from Perry Carpenter | post a comment
Reader Feedback

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast