Book details of 'Beyond Fear: Thinking Sensibly About Security in an Uncertain World'

Title	Beyond Fear: Thinking Sensibly About Security in an Uncertain World
Author(s)	Bruce Schneier
ISBN	0387026207
Language	English
Published	September 2003
Publisher	Copernicus Books

---

Back to shelf Computer security
Amazon.com info for Beyond Fear: Thinking Sensibly About Security in an Uncertain World

Score:

virtualbookcase.com score: 5.0   Vote for this book

The Virtual Bookcase Reviews of 'Beyond Fear: Thinking Sensibly About Security in an Uncertain World':

Reviewer Koos van den Hout wrote:
Bruce Schneier reviews security in America two years after 9/11 in this book, and uses this as a prime example of security measures, security theatre and how to evaluate security measures. Schneier promotes logical thinking about security and uses statistics to show that we should be worrying a lot more about car safety than about possible terrorism. Schneier shows possible (and very likely) hidden agendas in security measures implemented after 9/11. This book is very readable, even for someone not experienced in threat-analysis and security-analysis. Using simple examples from everyday life, Schneier makes his point and explains the reasoning. If you want to read one book about security, read his book "Secrets and Lies". If you want to read another one after that, read this one.
Reviewer Rob Slade wrote:
It is instructive to view this book in light of another recent publication. Marcus Ranum, in "The Myth of Homeland Security" (see reviews) complains that the DHS (Department of Homeland Security) is making mistakes, but provides only tentative and unlikely solutions. Schneier shows how security should work, and does work, presenting basic concepts in lay terms with crystal clarity. Schneier does not tell you how to prepare a security system as such, but does illustrate what goes on in the decision-making process. Part one looks at sensible security. Chapter one points out that all security involves a balancing act between what you want and how badly you want it. An important distinction is also made between safety and security, and the material signals the danger of ignoring the commonplace in order to protect against the sensational but rare. Fundamental security concepts are outlined as well as risk analysis. Chapter two examines the effect (usually negative) that bias and subjective perceptions have on our inherent judgment of risks. Security policy is based on the agenda of the major players, and chapter three notes that we should evaluate security systems in that light. Part two reviews how security works. Chapter four introduces systems and how they fail. "Know the enemy," in chapter five, is not just a platitude: Schneier shows how an understanding of motivations allows you to assess the likelihood of different types of attack. Chapter six is less focused than those prior: it notes that attackers reuse old attacks with new technologies, but it is difficult to find a central thread as the text meanders into different topics. Finding a theme in chapter seven is also difficult: yes, technology creates imbalances in existing power structures, and, yes, complexity and common mechanisms do tend to weaken security positions, but the relationships between those facts is not as lucidly presented as in earlier material. The point of chapter eight, that you always have to be aware of the weakest link in the security chain, even when it changes, is more straightforward, but the relevance of the illustrations surrounding it is not always obvious. Resilience in security systems is important, but it is not clear why this needs to be addressed in a separate chapter nine when it could have been discussed in eight with defence in depth (or "class breaks" and single-points-of-failure in seven). The hurried ending is also very likely to confuse naive readers in regard to "fail-safe" and "fail- secure": Schneier does not sufficiently stress the fact that the two concepts are not only different, but frequently in conflict. Chapter ten notes that people are both the strongest and weakest part of security: adaptable and resilient but terrible at detail; frequently surprisingly intuitive but often randomly foolish. At this point the book is not only repetitive, but loses some of its earlier focus and structure. Detection and prevention are examined, in chapter eleven, not as part of the classic matrix of controls, but as yet another example or aspect of resilience. Most of the rest of the types of controls in the preventive/detective axis are listed in chapter twelve, lumped together as response. Chapter thirteen looks at identification, authentication, and authorization (but not accountability, which was seen, in the form of audit, in chapter eleven). Various types of countermeasures are described in chapter fourteen. Countermeasures with respect to terrorism are examined, in chapter fifteen, both in general terms and in light of the events of 9/11. What works is discussed, as well as what does not, and there is an interesting look at the different roles of the media in the US as contrasted with the UK. Part three, entitled "The Game of Security," is not clear as to purpose. Chapter sixteen starts off by pointing out that the five step assessment process is constant and never-ending--which begs the question of how to determine when diminishing returns start to set in on assessment itself. However, there is good material in regard to the actions you can take to influence decisions about security. A concluding editorial, in chapter seventeen, encourages the reader to move beyond fear and think realistically about security and the tradeoffs you are willing to make. Some of the terms Schneier uses or invents may be controversial. His use of "active" and "passive" failures for the concepts more commonly known respectively as false rejection (false positive) or false acceptance (false negative) is probably much clearer, initially, to the naive reader. The concept is an important one, and so the presentation of it in this way could be a good thing. On the other hand, does "active failure" completely map to what is meant by "false acceptance," and, if not, how much of a problem is created by the use of the new term? Similarly, "class break" does indicate the importance of new forms of attack, but the concept seems to partake aspects of defence in depth, single point of failure, and least common mechanism, all important constructs in their own right. Schneier's invention of "default to insecure" is not really any more understandable than the more conventional terms of fail-safe or fail- open. I recommend this book. Unlike Ranum's, "Beyond Fear" has a more significant chance of informing and educating the public on vital issues of security. Security educators will find a treasure trove of ideas and examples that they can use to explain security concepts, to a variety of audiences. Security professionals are unlikely to find anything new in this material, but Schneier's writing is always worth reading, and this work is refreshingly free of the grating of erroneous ideas. copyright Robert M. Slade, 2004
Add my review for Beyond Fear: Thinking Sensibly About Security in an Uncertain World

Book description:

• Will arming pilots make flying safer? • Will computerized voting machines make election results more accurate? • Is online shopping with credit cards especially risky? • Would a national ID card program better protect us from terrorism? If you read the newspapers or listen to the pundits you might answer "yes" to these questions, but the truth will surprise you. Searching kids and grandmas actually improves airport security, but arming pilots makes us all less secure. Replacing paper ballots with computerized voting machines is a horrendously dangerous idea. Shopping with a credit card online is just as secure as using it over the phone or by mail. And a national ID card program would significantly weaken our security. In fact, according to Bruce Schneier in Beyond Fear, almost all ID checks in the name of enhanced security are virtually worthless. These, and dozens of other surprising insights in this book, will help you develop a keen sense of what today’s most talked-about security measures can and cannot do. Security is not mysterious, Schneier tells us, and contrary to popular belief, it is not hard. What is hard is separating the hype from what really matters. You already make security choices every day of your life, from what side of the street you walk on to whether you park your car under a streetlight. You do it naturally. This book guides you, step by step, through the process of making all your security choices just as natural. Schneier invites us all to move beyond fear and to start thinking sensibly about security. He tells us why security is much more than cameras, guards, and photo IDs, and why expensive gadgets and technological cure-alls often obscure the real security issues. Using anecdotes from history, science, sports, movies, and the evening news, Beyond Fear explains basic rules of thought and action that anyone can understand and, most important of all, anyone can use. The benefits of Schneier’s non-alarmist, common-sense approach to analyzing security will be immediate. You’ll have more confidence about the security decisions you make, and new insights into security decisions that others make on your behalf. Whether your goal is to enhance security at home, at the office, and on the road, or to participate more knowledgeably and confidently in the current debates about security in our communities and the nation at large, this book will change the way you think about security for the rest of your life.