One of my favorite thinkers on the subject of security, Bruce Schneier, wrote this great blog post recently. Schneier has a very solid, rational approach to the subject; I think of him as the economist of security, because he tends to present security in economic terms: trade-offs, costs and benefits. He coined the term “security theater,” meaning security measures that don’t provide actual security, and that may exist to further some other agenda than security, or secure a different resource than claimed.
But here he is, rationally (and compassionately) defending the practice of security theater in certain circumstances:
We make smart security trade-offs — and by this I mean trade-offs for genuine security — when our feeling of security closely matches the reality. When the two are out of alignment, we get security wrong. Security theater is no substitute for security reality, but, used correctly, security theater can be a way of raising our feeling of security so that it more closely matches the reality of security. It makes us feel more secure handing our babies off to doctors and nurses, buying over-the-counter medicines and flying on airplanes — closer to how secure we should feel if we had all the facts and did the math correctly.
Of course, too much security theater and our feeling of security becomes greater than the reality, which is also bad. And others — politicians, corporations and so on — can use security theater to make us feel more secure without doing the hard work of actually making us secure. That’s the usual way security theater is used, and why I so often malign it.
But to write off security theater completely is to ignore the feeling of security. And as long as people are involved with security trade-offs, that’s never going to work.
This so reminds me of another security expert I admire, Gavin de Becker. De Becker wrote The Gift of Fear, my second-favorite security book (after Schneier’s Beyond Fear). De Becker’s approach is nicely complimentary to Schneier’s: he addresses those moments when that primal part of your brain (the amygdala, I suppose) is saying “Something is wrong here…” His work is about tuning into, educating, and using that part of your mind to protect yourself in bad situations.
Schneier’s work is more about the situations when that part of your mind is a bad fit for the problem: it can save your life in a dark alley, or save you money in a bad business negotiation, but it won’t help you assess the security measures for your company’s network, or think sensibly about national security. When you aren’t confronted with visceral, accurate signs of human malice, Schneier clarifies things immensely. When you are, de Becker is your man. Problems occur when the wrong part of the mind is used to make security decisions.
I think there is important work to do around that boundary, between times when our primal minds will save us, and times when our rational minds will do a better job. In his post, Schneier is talking about a subtle point of detail in that boundary. I think it would be useful, socially and politically, for these two to get together. If Schneier and de Becker worked together, they could create some really useful mind-training, to help people use their entire mind-stack effectively to address the real threats we face.
In my own work, I have the responsibility to create complex systems, and then help my customers navigate those systems. I often must help people who are overwhelmed by complexity, and aren’t dealing with it well. I see this reflected in the world at large, and nowhere do I see bigger problems matched with worse thinking than in the field of security, on a political scale.
How ’bout it, guys?