Breaking News: Research key to good apps: Westpac CIO

ZDNet / Schneier / Story

Schneier: Why rubbish security products win out

By Angus Kidman, ZDNet.com.au on January 30th, 2008 
Submit
Bruce Schneier

Linux.conf.au kicked off its main proceedings in Melbourne on Wednesday morning with a stark message from security guru Bruce Schneier: "When security companies give you cost justifications, they're complete bullshit."

Schneier, author of the books Applied Cryptography, Secrets and Lies and Beyond Fear and described by outgoing Linux Australia president Jonathan Oxer as "a walking security advisor on the entire human race", told a sold-out keynote audience that IT security planning is rarely effective because it fails to take into account the emotional considerations involved in security.

Most security products either address perceived gaps in security and provide an emotional sense of stability without actually doing much useful, or solve actual problems but don't impart the same sense of security, he suggested.

"You can feel secure even though you're not, and you can be secure even though you don't feel it," Schneier said.

"Making security trade-offs is something we do multiple times a day," he noted. "You'd expect human beings would be really good at making these trade-offs, but fundamentally we're hopelessly bad at it." The reason for that, he said, is that "we respond to the feeling of security rather than the reality".

Evolution means that pattern will be difficult to reverse, Schneier argued. "Our society is evolving faster than our species. Modern times are harder. Technology makes it harder, and the media makes it harder."

"People make the trade-off based on the feeling of security, not the reality. The economic incentives are for companies to make people feel secure. That's where you are rewarded in the market."

Drawing on George Akerlof's "lemons market" theory on the economics of information asymetry, Schneier said: "In markets where the seller knows a lot more than the buyer, bad products drive out good products -- and this is very much the case for security."

One notable problem, said Schneier, is the return on investment calculations for security software, which often draw on rare and devastating events to justify their cost: an approach which renders basic mathematics of little use.

"In IT, there isn't a lot of data -- this is one of the problems we have. You have to rely on emotion because we don't have the data. It's very hard to evaluate non-functional requirements."

Understanding of fundamental security principles also needs to dramatically improve, Schneier said.

"We know very little about software security. We can't even prove a program terminates, let alone that it's secure. We don't have a rigorous security methodology. It's going to be a long time before it can be applied to programs and systems and anything resembling actual commercial size."

Talkback

Add your opinion

In order to post a comment, you need to be registered. (Sign In or register below)

Post your comment

Terms of Service - As a ZDNet registrant, and by using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.

Tech Blueprint

IT Priorities Special Report: Security

Emerging Technologies, and the New IT Security Landscape

IDC White Paper on Consumerisation Security

Get expert advice for developing or improving your BYOD security strategy.
Read white paper >

Mobile Trends and Perceptions

Survey by Decisive Analytics exposes the good and bad realities of BYOD.
Read analyst report >

ZDNet Australia Live

Research key to good apps: Westpac CIO - ZDNet Australia http://t.co/q2fxIL37

Research key to good apps: Westpac CIO - ZDNet Australia http://t.co/Pdf4RQXG

Research key to good apps: Westpac CIO - ZDNet Australia: Research key to good apps: Westpac CIOZDNet AustraliaW... http://t.co/JfGDCCud

Research key to good apps: Westpac CIO - Business - News - ZDNet Australia http://t.co/gxuA3C01

CIOview Research key to good apps: Westpac CIO - ZDNet Australia http://t.co/jRacRqbU

iPad news: Research key to good apps: Westpac CIO - ZDNet Australia http://t.co/coXq00rx

RT @zdnetaustralia Westpac: knowing the device and a user's behaviour is key to developing a good app: http://t.co/o5GXQhGj ^LH

Westpac: knowing the device and a user's behaviour is key to developing a good app: http://t.co/1FxHn0kT ^LH

Research key to good #apps: #Westpac CIO http://t.co/0T0xmWfl #mobile #android #iphone

surprised that #DHS labelled BYOD immature. i'm thinking the "for us" is a closer reflection of market readiness http://t.co/4cLnsFiE

SAP eyes #cloud super network with Ariba buy: SAP America is looking to develop "the business network of the fut... http://t.co/t3a2MOGj

by http://t.co/vmlLt4bh: Research key to good apps: Westpac CIO: Westpac announced yesterday that it has over a m... http://t.co/ua2LT4xZ

RT @Maynardcomau: I missed this story on the ABC website http://t.co/uBoQw8mh

Research key to good apps: Westpac CIO http://t.co/KFfxHxDO

Research key to good apps: Westpac CIO: Westpac announced yesterday that it has over a million users actively si... http://t.co/QAGGwpWu

Research key to good apps: Westpac CIO - ZDNet Australia: Research key to good apps: Westpac CIOZDNet AustraliaW... http://t.co/JJ9mYDXF

RT @zdnetaustralia: SuccessFactors launches Sydney datacentre to host BizX suite for local customers http://t.co/xKvbJnNj ^ST

RT @zdnetaustralia: SAP buys Ariba http://t.co/cQy8nVWp ^ST

SuccessFactors launches Sydney datacentre - Hardware - News - ZDNet Australia | @scoopit http://t.co/B7cK54tF

Research key to good apps: Westpac CIO: Westpac announced yesterday that it has over a million users actively si... http://t.co/0b9GEFrY

SuccessFactors launches Sydney datacentre to host BizX suite for local customers http://t.co/xKvbJnNj ^ST

SuccessFactors launches #Sydney datacentre - @ZDNet Australia : http://t.co/qyzZ4zZN

@Wow - thats one of the benefits of the iPad (and tablets in general). They are one of the most generation neutral products ever made. ...

53 minutes ago by Gav on Westpac board goes paperless with iPads

by http://t.co/vmlLt4bh: Kaspersky's antivirus denied on iOS: Kaspersky Lab is the latest company to be denied th... http://t.co/GpQkVZ2C

A farewell to democracy: Kaspersky http://t.co/VAIQbbXY

@mikey_halapir http://t.co/VOegcFoc FOUND IT.

Android's biggest security flaws http://t.co/00YQDw9T

SuccessFactors launches Sydney datacentre http://t.co/wdofhAGS

#DataCentre SuccessFactors launches Sydney datacentre - ZDNet Australia: SuccessFactors launches Sydney datacent... http://t.co/ajyQKEPL

SuccessFactors launches Sydney datacentre - ZDNet Australia: SuccessFactors launches Sydney datacentreZDNet Aust... http://t.co/VpHzoKJc

Kaspersky is now yet another company that Apple won't let make an official AV app for iOS. http://t.co/E0CsunQ1

and why is this such a super idea? http://www.itnews.com.au/News/301778,thousands-affected-in-billing-cloud-breach.aspx oh, yeah, right...

1 hour ago by btone on Fed Govt steps up on shared cloud plan

SAP eyes cloud super network with Ariba buy: By Rachel King, ZDNet US on May 23rd, 2012 (5 mins ago) SAP America... http://t.co/gHVI2Q1x

BYOD too immature for us: Human Services http://t.co/d5bL19GZ via @zdnetaustralia

Kaspersky's antivirus denied on iOS: Kaspersky Lab is the latest company to be denied the chance to develop an o... http://t.co/ik2mlpZR

Dell profits plunge in spending lull - Hardware - News - ZDNet Australia | @scoopit http://t.co/iqiQnzox

Automation key for time-poor security boffins http://t.co/qyCXzOwl via @zdnetaustralia

Wow, seems like a fantastic initiative that helps to save the environment. It must have taken a lot of convincing to get the Board to mov...

1 hour ago by Wow on Westpac board goes paperless with iPads

I'm a payed up lib member who has voted Labor in the last 2 federal elections. I had the previlege of speaking to Mr Turnball 3 months ag...

2 hours ago by spazmanaught on NBN contracts may be left alone: Turnbull

Good to see Westpac's concentrating on the real IT issues !

2 hours ago by jeff_syd on Westpac board goes paperless with iPads

I am not sure how this issue becomes an attack on Mr Turnbull. But I guess he is fair game. In any event I would have thought a Ddos woul...

13 hours ago by Doubt on National Botnet Network coming: Earthwave

I still use 98SE. Windows ME was an abortion in a bucket and Vista was ME without the bucket. My screen may look boring, but I jumped str...

13 hours ago by Treknology on Microsoft admits Vista was 'cheesy'

This story has been voted 10 times in the last 24 hours!

13 hours ago, CeBIT 2012 opens: photos

This story has been voted 15 times in the last 24 hours!

13 hours ago, Lenovo ThinkPad 3G tablet (32GB)

Well I don't know what they have done with their EFTPOS machines, local one in WA Coles Express I used this morning and I normally do "ch...

14 hours ago by harryinthesoup on Coles ditches PINs in payment pilot

6.7 M last ditch attempt - interesting - The Auckland region (population 1.4 mil) has estimated to have spent less than this in total ...

17 hours ago by debsteele on Vic scraps HealthSMART system

Interesting - no mention of Win 98/ME/2000 ... which heralded Internet access for millions of users ? I thought Win 98/ME would be the mo...

18 hours ago by gouranga on Microsoft admits Vista was 'cheesy'

An Application like Good from Good Technologies does the same thing, working with the enterprise email server and is off the shelf.

18 hours ago by Helpdesk123 on Westpac board goes paperless with iPads

Never mind a "B+" version, go for "C" and put in a few extras. I'd like a high speed ADC (100Msps) but that's just me... Final size? Equ...

19 hours ago by sa_penguin on Raspberry Pi architect mulls design change

what a non-story. these thing happen all the time. is zdnet short on material?

20 hours ago by paulwrussell on Spotify launch suffers redirect bungle

4 months old phone died. Took 6 weeks, three visits to the authorised repairer (Fonebiz) to "fix it". 2nd hand untested parts used, I say...

20 hours ago by paracin on Sony Ericsson Xperia Arc S

It's easy to rubbish an old operating system long after the rest of the world has already passed judgement upon it. I would be far more i...

21 hours ago by ramnet on Microsoft admits Vista was 'cheesy'

If Vista is cheesy, Metro is an over-ripe Stilton.

21 hours ago by meski on Microsoft admits Vista was 'cheesy'

you are kidding right - what qualification do you have to make such wildy stupid statements - do you really have customers who pay you fo...

21 hours ago by rant rant rant on National Botnet Network coming: Earthwave

Exactly. There are two topics of discussion, that are co-mingled; 1) Unauthorized software was put on the company device, by an IT person...

1 day ago by lamont on ABC's Bitcoin miner tackled in minutes

First off, Bitcoin is not a virus. Second off, the only way to generate Bitcoins, is by using a Bitcoin miner. More information on this h...

1 day ago by rizowski on ABC's Bitcoin miner tackled in minutes

When an operating system is sold it should not launch until an approved security service is purchased online with a list of approved supp...

1 day ago by Kevin Cobley on National Botnet Network coming: Earthwave

Facebook Activity

Keep up with ZDNet Australia

LinkedinLinkedin Join our network

RSS FeedsRSS Feeds Subscribe now

NewslettersNewsletters Subscribe today

AlertAlertsSubscribe now

ZDNet Events Calendar

ZDNet Events Calendar

Plan Comparison

Prev Next
Loading...
Deals powered by WhistleOut

Sponsored resources