Bruce Schneier Q&A: The Endless Broadening of Security

For Bruce Schneier, the security discipline still evolves and expands. Now he's the one trying to expand it.

Schneier: There are lots of examples of technically sound security ideas that never got fielded because the economic model was wrong. There was never any customer for digital cash because no one who was in a position to pay for the system cared about customer privacy. Instead, we ended up with PayPal, which isn't anonymous, but is easy to use and has a recognized income model. Solutions that defend against malware in the backbone don't work because the pain is felt at the endpoints. Cell phone companies spend millions to prevent toll fraud, but nothing on voice privacy. I could go on and on. It's not surprising, really. Security is fundamentally about people, and everything we know about people is relevant to security. What's more surprising to me is how so many of us security technologists have ignored the social sciences for so long.

CSO: "Everything we know about people is relevant to security" is broad! How broad can your security context get? Do you end up so broad that everything we do is characterized by that fundamental security proposition of fight-or-flight?

I think you have to end with human psychology. In the end, security is about people. It's about how people make security trade-offs. Yes, it's about fight or flight, and it's about fear. But it's also about thinking rationally and making intelligent trade-offs. That's what separates us from the rest of the animals. We can override our fear, our fight-or-flight mentality. We can reason. We can think.

CSO: You're on the precipice of formalizing some of these ideas from the past half-decade into nothing less than a new academic discipline. Tell me what that is, what you hope to accomplish, and how it comes about that you see something so all-encompassing so clearly.

Schneier: It's a combination of disciplines: experimental psychology, behavioral economics, evolutionary biology, cognitive science, neuroscience, and game theory, with bits of philosophy, sociology, and anthropology. All of these disciplines are coming together to explain how we think, and they have a lot to say about how we process fear, risk, security, costs, and trade-offs. Researchers from these disciplines have a lot to teach us in computer security, and we have a lot to teach them. It is my hope that by bringing all these people together—which I'm trying to do at the Workshop in Security and Human Behavior this June—these different disciplines can start talking to each other, and eventually start collaborating with each other.