Thursday, July 16, 2009

Podcast: Crypto-Gram 15 October 2008:

from the Oct 15, 2008 Crypto-Gram Newsletter
by Bruce Schneier

* The Seven Habits of Highly Ineffective Terrorists

Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. To defeat terrorism we need to understand the motivation

Conventional wisdom holds that people become terrorists for political reasons.

If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Historically, none of these solutions has worked with any regularity.

Max Abrahms has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. He theorize that people turn to terrorism for social solidarity ~ people join terrorist organizations worldwide in order to be part of a community.

The evidence supports this:
1) Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms.
2) Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations.
3) People who join terrorist groups most often have friends or relatives who are members of the group.
4) The great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining.

- we can engage in strategies specifically designed to weaken the social bonds within terrorist organizations.
- pay more attention to the socially marginalized than to the politically downtrodden - support vibrant, benign communities and organizations as alternative ways for potential terrorists to get the social cohesion they need.
- minimize collateral damage in our counterterrorism operations

* The Two Classes of Airport Contraband

1) that will get you in trouble if you try to bring it on an airplane
2) that will cheerily be taken away from you if you try to bring it on an airplane.

This difference is important: Making security screeners confiscate anything from that second class is a waste of time. All it does is harm innocents; it doesn't stop terrorists at all.

If you're caught at airport security with a bomb or a gun, the screeners aren't just going to take it away from you -> you'll be arrested.

The screeners don't have to be perfect; they just have to be good enough. No terrorist is going to base his plot on getting a gun through airport security if there's a decent chance of getting caught, because the consequences of getting caught are too great.

But if you're caught with a bottle of liquid, the screeners will confiscate it without any consequences.
Hence if it's really true a terrorist can use liquid bomb, he/sh will try and try and try again until he is successful, and he/she will be never be caught.

* Nicholas Taleb on the Limitations of Risk Management

A lot of people have done some kind of "make-sense" type measures, and that has made them more vulnerable because they give the illusion of having done your job. This is the problem with risk management. I always come back to a classical question. Don't give a fool the illusion of risk management. Don't ask someone to guess the number of dentists in Manhattan after asking him the last four digits of his Social Security number. The numbers will always be correlated.

* Does Risk Management Make Sense?

"Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure.

Many corporate security decisions are made to mitigate the risk of lawsuits rather than address the risk of any actual security breach. And individuals make risk management decisions that consider not only the risks to the corporation, but the risks to their departments' budgets, and to their careers.

You can't completely remove emotion from risk management decisions, but the best way to keep risk management focused on the data is to formalize the methodology. That's what companies that manage risk for a living -- insurance companies, financial trading firms and arbitrageurs -- try to do. They try to replace intuition with models, and hunches with mathematics.

length: 18:42m
PS: this is my cheat sheet of Bruce Schneier's Podcast:

Labels: ,


Post a Comment

<< Home