UK companies have been warned to be wary of statistics
coming out of the security industry
Bruce Schneier, chief technology officer at BT Counterpane, that
security industry metrics could be misleading and that suppliers of
security products tended to have "models [of security threats] that
make their products compelling."
Speaking at Infosecurity 2008, Schneier urged security officers
to arm themselves with as much information about real-world threats
as possible. This will allow them to be better prepared to
distinguish manipulated models of reality from those that more
closely represented what was going on in the rapidly changing
technology landscape.
"A good understanding of the risks, threats and how security
systems work will help alert people to whether they are being
manipulated or not," he said.
Schneier accused many in the security industry of exploiting
what he called the "psychology of security", which naturally led
people to make decisions based on what makes them feel more secure
rather than empirical data. However, this typically led to feelings
being "out of whack" with reality.
"There is a much stronger economic incentive to produce security
products that make people 'feel' safer," said Schneier.
The ideal situation, he said, was where feeling matched reality,
and this could only be achieved through awareness of the
differences between these two things, attempts by supplier to
manipulate models of reality, and a good knowledge of and
familiarity with the real risks.
Metrics coming from scientists and academics were typically a
lot more trustworthy because they are not usually shaped by a
commercial agenda, he said.