Shostack + Friends Blog Archive



Don’t miss this fascinating article in the New York Times, “Why Isn’t the Brain Green?” You can read it for itself, but then you hit paragraphs like this:

It isn’t immediately obvious why such studies are necessary or even valuable. Indeed, in the United States scientific community, where nearly all dollars for climate investigation are directed toward physical or biological projects, the notion that vital environmental solutions will be attained through social-science research — instead of improved climate models or innovative technologies — is an aggressively insurgent view. You might ask the decision scientists, as I eventually did, if they aren’t overcomplicating matters. Doesn’t a low-carbon world really just mean phasing out coal and other fossil fuels in favor of clean-energy technologies, domestic regulations and international treaties? None of them disagreed. Some smiled patiently. But all of them wondered if I had underestimated the countless group and individual decisions that must precede any widespread support for such technologies or policies. “Let’s start with the fact that climate change is anthropogenic,” Weber told me one morning in her Columbia office. “More or less, people have agreed on that. That means it’s caused by human behavior. That’s not to say that engineering solutions aren’t important. But if it’s caused by human behavior, then the solution probably also lies in changing human behavior.”

and ask…can we just substitute in security? One of the key messages in the New School (the book) is in the chapter “Amateurs study cryptography, professionals study economics.”

It’s a great article. I would suggest that we need a New School of Environmental Sciences, but 20 years ago, I was taking an environmental science course of study [link to no longer works] that included chemistry and biology, along with economics psychology and public policy.

It’s almost enough to make you wonder if Kuhn was right.

2 comments on "s/green/secure/g"

  • Ben says:

    I think this is an excellent observation, and absolutely true. To give you more evidence consider this:
    a) People generally don’t understand this whole “reduce carbon emissions” concept because it’s an abstract concept, not easily related to making human life better.
    b) People generally don’t understand this whole “information security” concept because it’s an abstract concept, not easily related to making human life better.

    Now, “making human life better” spins differently between the two, but fundamentally it’s the same idea. This is really the crux of Bjorn Lomborg’s arguments, too. People understand funding research to cure diseases. People understand buying mosquito nets for equatorial people to help prevent the spread of insect-borne diseases. People understand switching to alternative energy sources that are more affordable than petroleum. People /do not/ understand “generating less CO2” because everything generates it and it does not directly correspond with an improvement in the quality of life.

    Similarly, in infosec, people understand locking doors. They understand (generally) not giving papers to people who aren’t authorized to see them. They understand having locking mailboxes to keep people from stealing mail, and they understand shredding sensitive documents. However, the average user definitely /does not/ understand risk management applied to systems and data. They don’t understand strong passwords, which make their lives more difficult. Even non-infosec techies have difficulty with notions like hardening servers (“we have a firewall, why do I need to also remove those services?”) and defense in depth. In fact, worse than the green scene confusion, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. When we do our jobs right, there’s no feedback mechanism to reinforce this good behavior. D’oh! 🙂

  • shrdlu says:

    (No, Adam, the title isn’t too geeky. 😉 This makes complete sense to me, since both topics are about risk reduction, and people will not give up their conveniences to reduce risk until and unless they believe that the risk will affect them personally with a high level of probability. Add to that the fact that in the US in particular, aggregated risk management is seen as “infringing on one’s personal freedoms” (see also: tea parties).

Comments are closed.