Home » Data Protection » Network Security

Bruce Schneier: More on the Broad View of Security

Schneier on how other fields can contribute to solving security puzzles. (Part of the What Happens Next security predictions series.)

On a different note, your blog post "FBI Stoking Fear" calls to mind of a conundrum in security, particularly regarding low-probability, high-impact events. After 9/11 some media outlets described those attacks as 'unimaginable', but of course they had been imagined and written about in some detail. Now we see that Mumbai had various warnings or intelligence reports. But it's hard to differentiate communications about "could happen" and "might have been tossed around in an online forum" and "likely to happen" in a meaningful way (particularly given that an internal FBI memo may become external, etc.) . How should companies in particular think about these things?
People tend to estimate the probability of something happening based on how easy it is to bring instances of that thing to mind. So it's easy to overestimate the probability of something that actually happened, and to underestimate the probability of something that didn't happen. You see this cognitive bias when people talk about how likely a past outcome was: Monday morning quarterbacking, it's called. It's important not to lose sight of real probabilities. With regards to terrorism, any one attack -- either tactic or target -- is very unlikely, but it's easy to get wrapped up in defending against exactly what the terrorists did last time. It's far better to invest in security that defends against a broad spectrum of attcks: intelligence, investigation, and emergency response.