(This 5-step process by Bruce Schneier can be found in Schneier’s book Beyond Fear, and also in Schneier’s Crypto-Gram Newsletter where I obtained the text below.)
Bruce Schneier writes:
What follows is my foolproof, five-step, security analysis. Use it to judge any security measure.
Step one: What problem does the security measure solve? You’d think this would be an easy one, but so many security initiatives are presented without any clear statement of the problem. National ID cards are a purported solution without any clear problem. Increased net surveillance has been presented as a vital security requirement, but without any explanation as to why. (I see the problem not as one of not having enough information, but of not being able to analyze and interpret the information already available.)
Step two: How well does the security measure solve the problem? Too often analyses jump from the problem statement to a theoretical solution, without any analysis as to how well current technology actually solves the problem. The companies that are pushing automatic face recognition software for airports and other public places spend all their time talking about the promises of a perfect system, while skipping the fact that existing systems work so poorly as to be useless. Enforcing a no-fly zone around a nuclear reactor only makes sense if you assume a hijacker will honor the zone, or if it is large enough to allow reaction to a hijacker who doesn’t.
Step three: What other security problems does the measure cause? Security is a complex and inter-related system; change one thing and the effects ripple. If the government bans strong cryptography, or mandates back-doors, the resultant weaker systems will be easier for the bad guys to attack. National ID cards require a centralized infrastructure that is vulnerable to abuse. In fact, the rise of identity theft can be linked to the increased use of electronic identity. Make identities harder to steal through increased security measures, and that will only make the fewer stolen identities more valuable and easier to use.
Step four: What are the costs of the security measure? Costs are not just financial, they’re social as well. We can improve security by banning commercial aircraft. We can make it harder for criminals to outrun police by mandating 40 mph speed maximums in automobiles. But these things cost society too much. A national ID card would be enormously expensive. The new rules allowing police to detain illegal aliens indefinitely without due process cost us dearly in liberty, as does much of the PATRIOT Act. We don’t allow torture (officially, at least). Why not? Sometimes a security measure, even though it may be effective, is not worth the costs.
Step five: Given the answers to steps two through four, is the security measure worth the costs? This is the easy step, but far too often no one bothers. It’s not enough for a security measure to be effective. We don’t have infinite resources. We don’t have infinite patience. As a society, we need to do the things that make the most sense, that are the most effective use of our security dollar.
Some security measures pass these tests. Increasing security around dams, reservoirs, and other infrastructure points is a good idea. Not storing railcars full of hazardous chemicals in the middle of cities should have been mandated years ago. New building evacuation plans are smart, too. These are all good uses of our limited resources to improve security.
This five-step process works for any security measure, past, present, or future:
1) What problem does it solve?
2) How well does it solve the problem?
3) What new problems does it add?
4) What are the economic and social costs?
5) Given the above, is it worth the costs?
Some comments from Ray Bernard:
For two years (2005, 2006) Bruce Schneier has good-heartedly agreed to be the opening speaker for the all-day Convergence Track that I moderate at the CardTech-SecurTech conference. Last year I introduced him by saying that prior to September 11th, 30 to 40 percent of the crime that airport police had to deal with at the major airports was (jokingly) Bruce Schneier’s fault. I said that had he written Beyond Fear years earlier, the airlines would have had this 5-step process to evaluate security measures, and would have realized that separating passengers from their belongings at security checkpoints would introduce a significant new risk of theft.
The crime percentage numbers are from a July 2001 survey of security issues at the major U.S. airports, which revealed that there were organized crime theft rings operating out of some of the major airports, and that theft at checkpoints was 30 to 40 percent of the crime reported to airport police. Since September 11th, heightened security at airports and at checkpoints in particular has practically eliminated the problem.
At the conference I stated then that the problem would not have occured in the first place, had this risk been addressed properly when the airlines implemented checkpoint screening in response to FAA’s requirements. In fairness to the airlines, it took decades for checkpoint theft to become the problem that it was in 2001. Laptop computers didn’t exist back in 1973, and MasterCharge and BankAmericard (now MasterCard and Visa) were only a few years old, and could not be used electronically until 1979. So even if Bruce Schneier’s five steps had existed back then (he would have to have written the book at age 12), the risks of 2001 did not.
But these historical details just go to show that security must be implemented as an ongoing process, with periodic reassessment of the threats, vulnerabilities and risks, because these change over time.
Today we have a lot more security knowledge and experience available to us now than we did 20 or 30 years ago. However, the existence of that knowledge won’t do us a lot of good, unless as security practitioners we make sure we learn about it, and apply it.
(Shameless plug: That’s one reason for publication of The Security Minute.)