Human brains not wired for modern IT security

Powered by SC Magazine

The neocortex is 'still in beta', says security expert.

Security expert Bruce Schneier told delegates at the Black Hat USA 2009 conference that the human brain is not suited to IT security in the modern world.

Schneier said in his address that, in evolutionary terms, the human brain cannot deal with the complex threats that dog the modern environment, and that computer security is unlikely to be solved in our lifetime.

"We have Stone Age brains. We respond to stories not data," he said. "We are very good at living in small family groups in the East African highlands, but we do not have a lot of experience in the modern world."

Schneier suggested that this had a direct relevance to computer security in that humans tend to think along narrative rather than empirical lines. For example, having a firewall is perceived as a great protector of a computer, but in fact a poorly-configured firewall is worse than useless.

He also cited biometrics and airport security as cases in point, where seemingly good security measures are actually counter-productive.

There are two key parts of the brain that respond to stress. The amygdala, which is one of the oldest parts of the brain stem, deals with the 'fight or flight' reflex. This is present in ancestors as far back as fish.

But advanced mammals have the neocortex, which makes people think rationally about the potential risks. This is how humans mitigate risks and rewards.

"This only exists in mammals. It is the newest part of the brain, kind of still in beta testing," said Schneier, giving the example of someone getting a dressing down from their boss and not feeling inclined to stab the person or run away.

However, this logical reasoning comes with certain costs, and raises interesting questions from a security standpoint.

Humans are story-telling creatures, Schneier explained, and good stories capture our interest despite the fact that they may be factually harmful. This tendency in humans will make security a hard goal to reach.

Copyright ©

Human brains not wired for modern IT security
Top Stories
Australia’s banks review the iPhone 6
ANZ, ING Direct and Westpac execs weigh in on NFC, TouchID and big screens.
Domain does DevOps
And they’re doing it on .NET.
The ethics of security
[Blog post] Where did that zero-day go?
Sign up to receive iTnews email bulletins
Latest Comments
Which is the most prevalent cyber attack method your organisation faces?

   |   View results
Phishing and social engineering
Advanced persistent threats
Unpatched or unsupported software vulnerabilities
Denial of service attacks
Insider threats