Bruce Schneier Q&A: The Endless Broadening of Security

For Bruce Schneier, the security discipline still evolves and expands. Now he's the one trying to expand it.

By Scott Berinato

Page 3

CSO: What would you name this collaborative discipline? Anthro-security?

Schneier: I like "Security and Human Behavior" because it captures the evolution of the discipline. The convergence of security research with ideas from economics, which began in the late 1990s, begat the economics of information security, and the first WEIS conference in 2001. This led to a convergence of psychology, usability, economics, and security and privacy. Now we're seeing a convergence of behavioral economics and the psychology of information security, with all those other disciplines thrown in, which I hope will continue to grow.

CSO: You've said you hope even poets get involved?

Schneier: Yes, even poets and writers have something to say here. Certainly horror writers like Stephen King and Dean Koontz understand humans and fear.

CSO: Let's talk about the neuroscience aspect of this. The use of fMRI images of the brain is becoming a pop phenomenon. Because we can see parts of the brain "light up" in these studies, we make simple causal connections between how the brain works and how we behave. It seems like people are using brain scans to explain away many behaviors, even if the underlying science is far more complicated than the popular stories about this technology make it seem. Can you talk about that?

Schneier: Recently there have been enormous scientific advances in understanding the human brain, but neuroscience is still in its infancy; scientists are still groping around looking for coherent theories. And certainly, whenever someone says something like "the seat of this piece of cognition is in this part of the brain," they're making a gross oversimplification.

Making security trade-offs is fundamental to being alive. After figuring out how to eat and reproduce, the next most important thing for a species to figure out is how to avoid predators. So with security such a fundamental driver of brain development, it's not surprising that very primitive parts of our brain control some of our basic security reflexes. The amygdala, for example, is an ancient part of the human brain that first evolved in primitive fishes. It's what controls the fight-or-flight response: increased heart rate, increased muscle tension, sweaty palms, and so on. That part of the brain is so fast that when you see a snake, your amygdala starts working even before your conscious brain knows what you're looking at. You can override your amygdala. That's part of what makes you uniquely human, and it happens whenever you take a dressing-down from your boss and just listen instead of either running away or stabbing him with a spear. But it's hard.