Infosecurity 2008: UK firms warned of lies, damned lies and security statistics

UK companies have been warned to be wary of statistics coming out of the security industry

UK companies have been warned to be wary of statistics coming out of the security industry

Bruce Schneier, chief technology officer at BT Counterpane, that security industry metrics could be misleading and that suppliers of security products tended to have "models [of security threats] that make their products compelling."

Speaking at Infosecurity 2008, Schneier urged security officers to arm themselves with as much information about real-world threats as possible. This will allow them to be better prepared to distinguish manipulated models of reality from those that more closely represented what was going on in the rapidly changing technology landscape.

"A good understanding of the risks, threats and how security systems work will help alert people to whether they are being manipulated or not," he said.

Schneier accused many in the security industry of exploiting what he called the "psychology of security", which naturally led people to make decisions based on what makes them feel more secure rather than empirical data. However, this typically led to feelings being "out of whack" with reality.

"There is a much stronger economic incentive to produce security products that make people 'feel' safer," said Schneier.

The ideal situation, he said, was where feeling matched reality, and this could only be achieved through awareness of the differences between these two things, attempts by supplier to manipulate models of reality, and a good knowledge of and familiarity with the real risks.

Metrics coming from scientists and academics were typically a lot more trustworthy because they are not usually shaped by a commercial agenda, he said.

Read more on IT risk management