Schneier: Why rubbish security products win out
Linux.conf.au kicked off its main proceedings in Melbourne on Wednesday morning with a stark message from security guru Bruce Schneier: "When security companies give you cost justifications, they're complete bullshit."
Schneier, author of the books Applied Cryptography, Secrets and Lies and Beyond Fear and described by outgoing Linux Australia president Jonathan Oxer as "a walking security advisor on the entire human race", told a sold-out keynote audience that IT security planning is rarely effective because it fails to take into account the emotional considerations involved in security.
Most security products either address perceived gaps in security and provide an emotional sense of stability without actually doing much useful, or solve actual problems but don't impart the same sense of security, he suggested.
"You can feel secure even though you're not, and you can be secure even though you don't feel it," Schneier said.
"Making security trade-offs is something we do multiple times a day," he noted. "You'd expect human beings would be really good at making these trade-offs, but fundamentally we're hopelessly bad at it." The reason for that, he said, is that "we respond to the feeling of security rather than the reality".
Evolution means that pattern will be difficult to reverse, Schneier argued. "Our society is evolving faster than our species. Modern times are harder. Technology makes it harder, and the media makes it harder."
"People make the trade-off based on the feeling of security, not the reality. The economic incentives are for companies to make people feel secure. That's where you are rewarded in the market."
Drawing on George Akerlof's "lemons market" theory on the economics of information asymetry, Schneier said: "In markets where the seller knows a lot more than the buyer, bad products drive out good products -- and this is very much the case for security."
One notable problem, said Schneier, is the return on investment calculations for security software, which often draw on rare and devastating events to justify their cost: an approach which renders basic mathematics of little use.
"In IT, there isn't a lot of data -- this is one of the problems we have. You have to rely on emotion because we don't have the data. It's very hard to evaluate non-functional requirements."
Understanding of fundamental security principles also needs to dramatically improve, Schneier said.
"We know very little about software security. We can't even prove a program terminates, let alone that it's secure. We don't have a rigorous security methodology. It's going to be a long time before it can be applied to programs and systems and anything resembling actual commercial size."