Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

"Does arming pilots make flying safer? Computer security guru Schneier applies his analytical skills to real-world threats like terrorists, hijackers, and counterfeiters. BEYOND FEAR may come across as the dry, meticulous prose of a scientist, but that's actually Schneier's strength. Are you at risk or just afraid? Only by cutting away emotional issues to examine the facts, he says, will we reduce our risks enough to stop being scared." --Wired

"In his new book, 'Beyond Fear', Bruce Schneier -- one of the world's leading authorities on security trade-offs -- completes the metamorphosis from cryptographer to pragmatist that began with Secrets and Lies, published in 2000. The new book dissects a range of security solutions in terms of the agendas of the players (attackers and defenders) and touches -- too briefly -- on ways of modifying those agendas. I particularly like the idea that insurance, the standard tool used in business to control risk and convert variable costs to fixed costs, can help make developers accountable for insecure software. Product-liability laws aren't likely to change anytime soon. But if actuaries measured the risk associated with use of competing software products and priced insurance policies accordingly, maybe we could close the feedback loop in a positive way." -- infoworld.com

Many of us, especially since 9/11, have become personally concerned about issues of security, and this is no surprise. Security is near the top of government and corporate agendas around the globe. Security-related stories appear on the front page everyday. How well though, do any of us truly understand what achieving real security involves?

In Beyond Fear, Bruce Schneier invites us to take a critical look at not just the threats to our security, but the ways in which we're encouraged to think about security by law enforcement agencies, businesses of all shapes and sizes, and our national governments and militaries. Schneier believes we all can and should be better security consumers, and that the trade-offs we make in the name of security - in terms of cash outlays, taxes, inconvenience, and diminished freedoms - should be part of an ongoing negotiation in our personal, professional, and civic lives, and the subject of an open and informed national discussion.

With a well-deserved reputation for original and sometimes iconoclastic thought, Schneier has a lot to say that is provocative, counter-intuitive, and just plain good sense. He explains in detail, for example, why we need to design security systems that don't just work well, but fail well, and why secrecy on the part of government often undermines security. He also believes, for instance, that national ID cards are an exceptionally bad idea: technically unsound, and even destructive of security. And, contrary to a lot of current nay-sayers, he thinks online shopping is fundamentally safe, and that many of the new airline security measure (though by no means all) are actually quite effective. A skeptic of much that's promised by highly touted technologies like biometrics, Schneier is also a refreshingly positive, problem-solving force in the often self-dramatizing and fear-mongering world of security pundits.

Schneier helps the reader to understand the issues at stake, and how to best come to one's own conclusions, including the vast infrastructure we already have in place, and the vaster systems--some useful, others useless or worse--that we're being asked to submit to and pay for.

Bruce Schneier is the author of seven books, including Applied Cryptography (which Wired called "the one book the National Security Agency wanted never to be published") and Secrets and Lies (described in Fortune as "startlingly lively...[a] jewel box of little surprises you can actually use."). He is also Founder and Chief Technology Officer of Counterpane Internet Security, Inc., and publishes Crypto-Gram, one of the most widely read newsletters in the field of online security.

Schneier introduces the term "threat" on p. 20 with this example: "Most people don't give any thought to securing their lunch in the company refrigerator. Even though there's a threat of theft, its not a significant risk because attacks are rare and the potential loss just isn't a big deal. A rampant lunch thief in the company changes the equation; the threat remains the same, but the risk of theft increases." That's wrong; let's start with definitions (mine, based on intel experience -- not the author's).

A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset which could lead to exploitation. Risk is the possibility of suffering harm or loss. It's a measure of danger. All of these terms were defined years ago by military intel and law enforcement types, especially those doing counter-terrorism.

In the lunchroom example, nobody initially "secures" their lunch, even though their "assets" are held in a "vulnerable" (unlocked, unguarded) refrigerator. Why? There's no "threat" -- people have the capability to steal lunches but nobody has evil intentions. "Risk" of losing one's lunch is close to zero. Now, add the "rampant lunch thief." The threat is NOT "the same"; a threat now exists for the first time. The risk equation changes -- risk of loss is much higher. (Countermeasures like a guard can reduce the vulnerability and bring risk of loss closer to the original low level.)

Another example of fuzzy thinking appears on p. 50. "Just because your home hasn't been broken into in decades doesn't mean that it's secure." Says who? If the threat the entire time was zero, the house was always perfectly secure. Vulnerabilities are but one part of the risk equation, which is Risk = Threat X Vulnerability X Cost of Asset. If any factor is zero, risk is zero.

One quick final example appears on p. 238: "The problem lies in the fact that the threat -- the potential damage -- is enormous." Wrong! A threat is an agent, or party, who wants to and can inflict damage. "Threat" in this sentence should be "cost," meaning the replacement value of the assets at risk.

A hint to the source of these errors appears on p. 82: "examining an asset and trying to imagine all the possible threats against that asset is sometimes called 'threat analysis' or 'risk analysis.' (The terms are not well defined in the security business, and they tend to be used interchangeably.)" Which security business? Counter-terrorism and intel folks know threat analysis is performed against groups with capabilities and intentions to harm American assets. Risk analysis calculates the potential for loss given a certain threat, an asset's vulnerabilities, and the value of that asset. It's the digital security community that's obscuring the definitions.

I loved "Secrets and Lies," and every time I see the author speak I learn something new. Am I off base with this review? You be the judge. I still gave it 4 stars, since the book's vignettes are informative and its scope impressive. Given the large number of reviewers I expected someone to challenge the author's terminology. Yes, this is semantics, but shouldn't a book by an expert set the record straight? I don't think my expectations are unrealistic, either; Schneier is a previously published "thought leader," and he deserves to be held to the highest possible standards.


good book for the layman; entertaining but w/some flaws   November 21, 2003
James J. Lippard (Phoenix, AZ USA)
43 out of 59 found this review helpful

_Beyond Fear_ is a good book, and I'd put it into the "should read" but not "must read" category for people working in security (as opposed to _Secrets and Lies_, which I put into the "must read" category). There's little new or profound in the book, which is essentially an elaboration with examples on the five-step process of analyzing and evaluating security systems given on pp. 14-15 of the book:

1. What assets are you trying to protect?
2. What are the risks to these assets?
3. How well does the security system mitigate those risks?
4. What other risks does the security system cause?
5. What costs and trade-offs does the security solution impose?

In the process, Schneier provides many interesting examples. This is an excellent book on security for the layman. But it is definitely a book targeted at a popular audience. There are no footnotes or references, and Schneier occasionally tosses off remarks or asides that are questionable, if not false.

There are two significant flaws in the book:

1. It exaggerates the subjectivity of a security evaluation. On p. 17, chapter two is titled "Security Trade-offs are Subjective." But it's not the trade-off itself that is subjective. It's not the risk assessment that is subjective. It is people's non-instrumental desires (basic desires) or
values that are subjective.

Schneier writes (p. 17) that "Different people have different senses of what constitutes a threat"--but some are right and some are wrong. His distinction between perceived and actual risk shows that the important one is actual risk, not perceived risk. Actual risk is objective, not subjective. Schneier continues "or what level of risk is acceptable." That can certainly have a subjective component, but even subjective components can conflict with each other and be internally inconsistent, indicating a problem in the evaluation.

The final sentence of the chapter contradicts the chapter title: "Because we do not understand the risks, we make bad security trade-offs." (p. 31) If the trade-offs were subjective, there would be no such thing as a bad trade-off, only a trade-off perceived to be bad by someone.

Later in the book Schneier contradicts the strong subjectivity claim (e.g., p. 249: "Massive surveillance systems are *never* worth it." (emphasis added)) I don't think he seriously meant to make the strong claim--I think it's just careless/imprecise writing. p. 259 seems to get it pretty much right, but he should really have found a philosopher to review this book--that a problem is intractable doesn't mean that the answer is subjective, nor does the fact that subjective interests enter into the picture mean that the answer, given those interests, is subjective.

2. The book argues for an exaggerated egalitarianism--that anybody, regardless of background, training, or intelligence, can do security analysis. At the same time, the book touches on some of the evidence that ordinary judgments are inaccurate, and that people are notoriously bad at estimating and comparing risks due to the natural use of heuristics like vividness, recency, etc. (the classic Kahnemann and Tversy book, _Judgment Under Uncertainty_, summarizes some of this evidence).
It would be grossly mistaken to think that Joe Schmoe off the street is going to be capable of designing (or evaluating) the effectiveness of a complex security system, versus people with appropriate training and experience--just as mistaken as hiring people with no computer knowledge to build and maintain your IT infrastructure.
Again, like in point 1, Schneier says things which contradict the strong hypothesis he seems to argue for, for example when he writes that wealthy people want doctors who treat others, not just standing by on 24/7 on-call for those wealthy people, because they want doctors who are experienced.
And I think this is a good comparison--the position Schneier *should* be arguing for is that we should take responsibility for our own security in the same way that we should take responsibility for our own health. We still need to rely on experts, but we should take an active role in consulting with them and evaluating what they tell us, especially since (just as in health care and medicine) there are people who know what they are talking about and those who are snake oil salesmen.


Very Good, and Not as Muddled as One has Claimed   October 19, 2005
J. Martens (Baltimore Metro Area, USA)
23 out of 27 found this review helpful

This book is very informative, interesting, and entertaining. I've recommended it to people both within and outside the CS and IT communities w/o reservation.

Rather than reiterating things said in the many positive reviews, I'd like to take issue with one reviewer who says Schneier misuses the term "threat." In particular, this reviewer says "A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset." This definition is both counter to standard English usage and counter to standard usage within the computer security field. Every book on my shelf has roughly the same definition of threat: "Threat: a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability" -- Stallings, Network Security Essentials, p. 5. So a threat is condition or event, not a party. The reviewer seems to confuse threat with potential adversary.

Schneier's terminology is the standard terminology, and he uses it correctly.


Pragmatic advice   August 5, 2003
21 out of 24 found this review helpful

Bruce's greatest strength is in the role of Evangelist -- he translates the complex aspects of security into a vocabulary suitable for common consumption. If you're a sociologist, a risk management officer, or a cultural psychologist, you'll be familiar with a lot of the upstream references from which Bruce draws his examples. Conversely, if you're working in an office where "solving that security problem" is one of your many tasks, you won't have the time or inclination to dig out the esoteric sources. Consider this book as an alternative, far less onerous choice.

The book is easy reading -- it flows quickly and keeps returning to a common set of themes. These are set against many contexts so you're sure to find something familiar. You won't find any math or greek notation in here, to the disappointment of "Applied Cryptography" die-hards but the relief of everyone else.

The underlying message, seeing beyond the Fear, Uncertainty, and Doubt (FUD) propagated by mass media and the government, is a key one to understanding why it's OK to question this hyper-security-conscious world we find ourselves in. Airline security is an arena familiar to most business travelers, and we as passengers are expected not only to accept increasingly invasive measures, but welcome them without hesitation. Bruce teaches us how to evaluate the efficacy of these schemes both individually and in the aggregate. The results will surprise all but the most cynical among you.

That said, this is not the textbook of a conspiracy theorist. Bruce willingly admits that improving security correctly is a worthwhile pursuit, and even teaches us how to do it. You won't find the rantings of an ill-informed libertarian crackpot.

If your interests lead you to ask questions and be curious about the changes to your world in recent years, you will find this an entertaining and informative volume. Democrat or Republican, luddite or technology businessperson, it's worth a look at your earliest opportunity.


Fluffy rehash of the same old stuff   November 13, 2003
21 out of 47 found this review helpful

If Bruce Schneier has acquired a habit, it is the ability to take the same old material and rehash it into different books, year after year. My guess is that, next year, he'll use another slightly different angle and try to sell you the same basic information.

What I find truly onerous about his books is the condescending tone that Schneier adopts when addressing the reader.

Recently I spoke with a PhD, from Brown, who performed decades of research in number theory. He recommended "Cryptography in C and C++," by Michael Welschenbach. He also said "I don't know why people think Applied Cryptography is such a good book. He [Schneier] doesn't seem to understand the mathematics very well." Pick up Applied Cryptography sometime and compare it side-by-side with Welschenbach's book. You'll see what that PhD was talking about.