Shostack + Friends Blog Archive

 

"A Call for Evidence-Based Security Tools"

Via Schneier: From the Open Access Journal of Forensic Psychology, by a large group of authors: “A Call for Evidence-Based Security Tools“ [link to http://web.me.com/gregdeclue/Site/Volume_1__2009_files/Meijer%202009.pdf no longer works]:

Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions offered today, however, lack scientific underpinning.

We recommend two important changes to improve the (cost) effectiveness of security policy. To begin with, the emphasis of deception research should shift from technological to behavioural sciences. Secondly, the burden of proof should lie with the manufacturers of the security tools. Governments should not rely on security tools that have not passed scientific scrutiny, and should only employ those methods that have been proven effective. After all, the use of tools that do not work will only get us further from the truth.

I would quibble with their second recommendation: the burden of producing evidence may well lie with the manufacturers. But these tools are imposed on the public and the citizens of a nation, and but there needs to be a public and open process that owns the evaluation of the proof.

But it’s an important step forward for forensic psychology.