SOFTWARE REVIEW

Beyond Fear review

9.0

Editors' Rating

Wendy M Grossman ZDNet.co.uk

Published: 27 Oct 2004

Bruce Schneier is that rare thing: a security expert who writes and thinks well about popular issues. Beyond Fear: Thinking Sensibly About Security in an Uncertain World is his attempt to get people to think rationally in the wake of the 9/11 attacks. It is therefore about physical-world security as much as or more than it is about computer security. Schneier's purpose, however, is more along the lines of teaching people how to fish. That is, he doesn't hand out a prescription for good security, so much as lay out principles to help people make better decisions about security.

All security systems, no matter what their nature, involve trade-offs. It is up to the person doing the specification to decide what the risks and trade-offs are, and decide whether the demands the security system will make are worth it. To help people make those assessments, Schneier boils the process down to five steps. Define the assets you want to protect. Assess what the risks are against those assets. Understand how well the proposed security system mitigates those risks. Assess the additional risks the security system might introduce. Work out what the trade-offs are. It doesn't help that people are notoriously bad at assessing risk: most people, Schneier points out, are more likely to die of a bee sting than a terrorist attack, yet they are more frightened of terrorism.

In one chapter, Schneier applies these principles to the example of sending credit card information over the Internet, and concludes that the trade-off (lowered convenience) isn't worth the (minimal) risk of the information being stolen. In part, that's because the alternative doesn't really mitigate the risk either: credit card information can be stolen over the phone, by fax or in person, too. In other sections of the book, he considers the anti-terrorist measures that have been put in place in airports since the September 11 attacks; national intelligence operations; and more specifically computer-related security issues such as identification, authentication, and authorisation.

One problem, of course, is that often security is not within our control, or not fully. Schneier's best example of the conflicting agendas and needs is that of post-9/11 airport security. Right after the attacks, the US government wanted to ban notebook PCs in-flight; airlines, knowing that their most profitable passengers would revolt, fought against the idea. However, we, as customers, were not directly consulted or offered a choice.

An important theme throughout the book is understanding how and why security systems fail. Often, Schneier says, it's the seams in a system that give attackers a way in: data might be secure in its locked filing cabinet or its password-protected and encrypted database, for example, but be open to copying when it's being keyed in from the old system to the new one. Often, as others have said before, the weakest link is people. New technology can make formerly secure assets vulnerable -- for example, when someone adds an unprotected wireless access point to a secure wired network.

One of Schneier's most important principles -- that security is a process -- can't be repeated often enough. Security is not something you can install once and forget. It is not a product. Security needs must be continuously reassessed, because risks and trade-offs are perpetually changing.