InfoSec 2008
April 23, 2008 10:38 am Development, RandomI visited Infosec Europe again this year, mainly just to see Bruce Schneier really. The show seems to be much more marketing than I remember in past years, perhaps I was just in the wrong places.
Anyway Bruce’s presentation was fantastic. It was basically looking at the psychology of feeling secure over being secure and the impact this can have. I really like this idea because it fits with my theory of ability and gives me a much more eloquent model to describe it, my model of knowledge/ability is basically people who tell you they are an expert in something generally know so little they don’t even realise the enormity, I’ve had ‘Flash Gurus’ who don’t even know what ActionScript is ‘Expert MS Office’ user who don’t know what a macro is and can’t write an Excel formula.) Anyway.
As I understand it Bruces’ theory of security is based on a model of:
- Reality – what the potential threat/situation is
- Model – the way the understands Reality, based on knowledge (books, experience, news, peers)
- Feeling – how the user feels emotionally about the situation
Bruce suggested that we are poor at making security decisions because our models and feelings as humans have evolved over millennia to help us in a fight or flight situation. Not in a pragmatic sort the facts out and adjust our models kind of way. The problem is that our context for these decisions is wrong.
To me it shows why the experience gained by doing a job is so important, your model is adjusted by constant feedback of what has and hasn’t worked. Why do you know that… because I’ve done it. This experience is often overlooked and people assume that someone with a higher qualification in a subject will be better at a job in that area – not necessarily true.
Anyway to find out more about what Bruce said read his article the Psychology of security.