Loading ...
I have been following with interest the discussions started by Ken Belva on this site in response to Bruce Schneier’s initial post on his own blog about the “security mindset” or, to put it another way, “security folks with beautiful minds.”
First, I want to say how much I admire Bruce Schneier for his intelligence, analytical ability and eloquence. He is one of very few security professionals, particularly from among those in esoteric fields such as mathematics and cryptography, who can describe complex security issues in layman’s terms. I have very much enjoyed reading his more recent books. In fact, one of his books was instrumental in identifying a convicted felon who was working on a former employer’s critical systems. But that’s another story.
A particularly admirable quality of Bruce’s is his willingness to admit to the weaknesses of ideas that he has long touted. As a world leader in cryptography, he does not hesitate to point out the limitations of poor encryption implementations in his seminal work Secrets & Lies (John Wiley, 2000). I am still waiting for him to reconsider his assertion from a couple of years ago that organizations should outsource all their security functions. Having written Outsourcing Information Security (Artech House, 2004), I obviously believe that managed security services have their place, but they are not a panacea.
In any event, let’s get back to the security mindset and the psychology of security. We could have anticipated Bruce’s latest foray into psychology from statements that he made to journalist Ellen Messmer at the RSA Conference in February 2007. The interview was published by CSOonline and Network World. Around that time, Bruce wrote a “long essay” on the psychology of security. Coincidentally I was working on a chapter called “An Adaptive Threat-Vulnerability Model and the Economics of Protection,” which is to appear in the forthcoming book Social and Human Elements of Information Security: Emerging Trends and Countermeasures (IGI, September 2008). As further affirmation of the expanding interest in the psychology of security, it is the featured topic of the April 2008 issue of Communications of the ACM.
While I think that it is a good idea for researchers to dabble in other fields, such as mathematicians learning about psychology, I strongly object to any implication that such researchers can transfer their preeminence and credentials in one field to another very different area. As a way to deal with such issues, I have recommended on a number of occasions that we welcome psychologists (particularly forensic psychologists), sociologists and other social sciences experts into the security fold.
However, even though Bruce, Ken or I are not qualified psychologists, I think that we can still express our opinions, as long as we do not masquerade as subject matter experts. As a qualified engineer, who majored in electrical engineering but was also taught about the real engineering disciplines of mechanical and civil engineering, I agree with Ken and others that an engineering education is well suited to having them become security practitioners. Engineers are certainly trained to understand and evaluate potential failures of physical and logical assets. They learn about reliability and availability, MTBF (mean time between failure) and MTTR (mean time to repair), the “bathtub” curve and related concepts. They are encouraged to test products to failure and design fail-safe systems with protective mechanisms for when something does fail. But do you know the difference between safety and security? For example, do you know whether your door entry security system fails open or closed when the computer system controlling physical access goes down? Failing closed is more secure, but jeopardizes the lives of anyone who might be trapped in a blazing inferno, unable to get out of the building. Failing open better meets the safety requirement, but is clearly less secure in terms of protecting non-human assets from compromise, theft or damage. This is something you need to know, as it can be a matter of life and death.
When bridges, security systems, etc fail, news of the incident will hit the headlines. Such an example was the collapse of the Tacoma Narrows Bridge on November 7, 1940 (well worth viewing on YouTube). Another historic example of trial-and-error is the building of the pyramids - the area is scattered with designs that collapsed before architects determined the correct incline.
I believe that security professionals and engineers can have a security perspective of the world without being compulsive or paranoid about it or having a criminal mind. It is just good engineering to consider the various ways in which systems can be compromised or fail and to design for such potential events. I could even go so far as to say that an engineering background is more likely to result in someone being security minded than is mathematics - but that might arouse the ire of those mathematicians in our ranks, so I will reserve judgment on that issue. It is the old discussion about whether genes, environment, education or experience has the greatest impact in creating that appropriate degree of circumspection and level of suspicion to be a good security person. I believe that all these factors have an influence, but at the top of my list is having a strong and sincere intellectual and practical interest in protecting people (and oneself) from the many threats and dangers to which we are continually subjected.
So let’s just say that it is my opinion that aspiring security professionals, whatever their origins and backgrounds, can and should be trained to recognize security issues in existing and new technologies and processes, and can and should learn how to come up with effective means of dealing with the security risks that they identify. Let’s not focus on who does or doesn’t have the appropriate ‘tude for doing a good security job, but rather on how we can train every security practitioner to be more aware of the threats and vulnerabilities that challenge us every day.
