5 November 2003 Security specialists should think less about technology and more about processes, according to IT security expert Bruce Schneier.
“Security has never been a technology problem, it’s always been a people problem,” said Schneier, the chief technology officer of Counterpane Internet Security. All security involves trade-offs in terms of cost and convenience and can also have knock-on effects that may undermine the original security measure, he added.
Furthermore, security systems that successfully keep out attackers can also fail because they lock out or inconvenience legitimate users. “An ATM [automated teller machine] that shuts out one in 100 legitimate users will never be deployed… firewall rule sets get turned off because of complaints from legitimate users,” he said.
As a result, “the security measures people take have very little to do with security,” said Schneier.
At the same time, organisations will adopt security measures that are in their best interests. For example, banks rarely examine the signatures on cheques because it is cheaper for the bank to leave it to account holders to check their own bank statements.
Schneier, a respected cryptographer and author of a number of books on computer security, was speaking at the RSA Security conference in Amsterdam. His thinking on security has shifted from the purely technical to a higher, more organisational level because, he believes, it is often the implementation of security systems that determine how effective they are, rather than the pure technology.
Schneier suggests that organisations ought to work through a five-point process to evaluate what it is they want to protect, how it can best do that and what the likely consequences of that action might be:
- What assets are you trying to protect?
- What are the risks against them?
- How well do the proposed counter-measures defend against the risks?
- What other security problems are the counter-measures likely to cause?
- What are the costs of the counter-measures?
Schneier’s latest book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, was written in response to security measures introduced following the 11 September 2001 terrorist attacks on New York and Washington.
Schneier suggests that many of these measures, such as the introduction of identity cards in the UK and some of the security measures in place at US airports, are ineffective because they have not been properly thought through.
The idea was to take the principles of good security to a wider audience and to demonstrate that they are essentially the same, regardless of whether they are implemented in the ‘virtual’ world or the real world. “I wanted to write a book that my mother could understand… She’s read it and she likes it,” said Schneier.