USENIX '04: Bruce Schneier, Thinking Sensibly About Security in an Uncertain World

no powerpoint!

security is always a tradeoff

we are all security consumers, but are we getting a good deal on our investment?
* bulletproof vests are not worth it for most of us
* locking hotel door
* eating at starbucks

humans do security tradeoffs intuitively -- in fact, all animals do

on the other hand, we don't always make the right tradeoffs

the perception of control leads to a a lessened sense of risk, even when this is false
* we feel safe in cars, but not planes, when the opposite should be true

(ignore the news -- if the events they show were common, it wouldn't be news)


Technology obscures risks


Any security decision involves players / stakeholders
they have their own perspectives, needs, agendas

the boston DNC tradeoffs make no sense, but city officials are happy with the tradeoff & terrified with the risk -- the people making the tradeoff aren't the ones inconvenienced

the military officials that authorized shooting down flight KAL007 did so because the last time a plane violated soviet airspace, that general went to jail; for this guy, shooting down the plane was better than jail, so he gave the order

average people have no incentive to find counterfeit currency

likewise with police, airline security, etc

schneier yesterday had an argument over getting around having his photo taken by building security in order to have a meeting at a downtown company. neither the VP he was meeting nor the boss of the security agent was able to bend the policy to let him in; eventually the security boss's boss found an "exception" to the mandatory photos rule, but said schneier was the first person to exercise it


we often don't think to exercise our leveraging power when making security negotiations

brilliant security countermeasure: "your purchase free if you don't get a receipt" -- it gets the customer involved as a stakeholder in the security equation in order to discourage employee theft


we need to accept risk; this may not be hard for usenix attendees, but it's frightening to most people

basic tradeoffs make sense, but diminishing returns kicks in quickly

consumers have all the power, but we don't think to exercise it -- WE SHOULD!