Bruce Schneier's new view on Security Theater

Security expert Bruce Schneier is rightly regarded as one of the industry's most intelligent and insightful participants. He has made substantial personal contributions to the science of cryptology, and has written some of the best books on the subject.

Like many smart people, Schneier is also highly opinionated. Although I have yet to hear a technical opinion from Schneier that I disagree with, some of his nontechnical opinions are--in my opinion--open to debate.

For example, Schneier coined the term "Security Theater" to describe measures that serve to make people feel safer without significantly improving security in any real sense.

That's a great definition. Security Theater is a real thing. But Schneier has frequently said that it's universally a bad thing...as if human psychology is irrelevant. Yes, it's obvious now that airport security checkpoints prior to September 11, 2001 were more of an inconvenience to travelers than they were to hijackers. Hijackings were rare but possible before the checkpoints, and rare but still possible after the checkpoints were set up. But without those checkpoints, a lot of people simply wouldn't have flown on commercial airlines.

At the RSA Conference this week, Schneier gave a talk on "Reconceptualizing Security" based largely on an essay on his Web site titled "The Psychology of Security."

I think this was very good work, and represents a significant maturation of Schneier's thinking on the nontechnical issues he's been covering all these years.

Most notably, it explains the proper purpose of Security Theater. When people feel less safe than they ought to given the facts of a situation, they can make bad decisions--for example, avoiding commercial aviation even when it's objectively safer than the alternatives. Security Theater brings feelings and facts back into agreement and restores rational behavior.

Security Theater isn't entirely good. It's still a kind of fraud, and the mere fact that it works doesn't mean it's an optimal solution; it just shows where this approach comes from and why it works. There are still plenty of problems with it. For example, one audience member pointed out in the Q&A session following Schneier's talk that using Security Theater to make people feel better about some threat can backfire if the reality of the situation deteriorates. People will retain the good feelings engendered by the charade and thus underestimate the real threat.

Schneier expanded on his essay by adding a third independent variable. Along with facts and feelings, we also build conceptual models for security analysis. However rational our models may be, our feelings may still be different. Although someone in the audience asked if we shouldn't just think in terms of facts and models, I think we have to accept that feelings and models are functionally distinct, and therefore we have to keep them separate. For example, we can express and analyze models far more easily than we can communicate our feelings.

But the reality of how we make security decisions begs an important question--should security professionals focus on real solutions to security problems, or just on making people feel better about security? Unfortunately, there's no easy answer to this question. It depends on who's paying the professional's salary, what they expect, and how rational they area. At one extreme, any professional should certainly want to improve security in real terms, but delivering the perception of improved security may be a practical job requirement.

There was one funny moment in the presentation that I have to relate. Schneier was describing the 1982 Tylenol crisis and the resulting broad use of tamper-evident packaging. At the very moment he made that connection, he took a bottle of water provided by the show organizers on the podium and cracked open the cap. It was apparent to me that he hadn't even noticed this connection, and when I pointed that out, he agreed--tamper-evident bottle caps are now so much a part of our everyday lives that we don't even notice them any more.

These caps don't make us much more secure in any real sense, but they allow us to feel comfortable about drinking from bottles we've never seen before. The cynical old Bruce Schneier would probably say that's a bad thing, even though the effect works on him just like anyone else. The new Bruce Schneier, I think, has a better appreciation of the role of psychology in making security decisions, and his future work will probably be better for it.

Click here for more stories on RSA 2008.

[Mediocrates]

I guess I'm just a Darwinist at heart, but I believe that touchy-feely, illogical, emotion-based thinking should bear the appropriate consequences, for how else would learn to think more clearly in the future. Pandering to baseless fears enables people to continue nuturing them, rather than developing a more accurate world view.

Security professionals should focus exclusively on real solutions to real threats, and leave the warm-fuzzy-happy talk to liberal Democrats.