The thing about doing security analysis is that you really have to think about the threats, and you really have to look at your assumptions, and then you have to evaluate the costs of security measures against the threat reduction. It’s hard to do that while you are being terrified.
For example, imagine two security systems A, and B, that both attempt to accomplish goal X, but at different costs. B is more expensive than A, but accomplishes X much better.
It’s relatively simple to figure out if the improvement in achieving X that comes from choosing B is worth the cost increase.
What’s easy to forget is that the analysis has to include questions like: “do I really want to accomplish X?”, or “There nothing I can do with the amount of money B will cost that is a better use of money than accomplishing X?” In order to get the analysis right, and include those basic questions, you have to stop being scared and look at the “real problem”.
Bruce Schneier never forgets this part. He is doing some analysis for TSA on the Secure Flight system, and finds that while it is an improvement over what’s there now, it’s not really a good use of the money:
If I had some millions of dollars to spend on terrorism security, and I had a watch list of potential terrorists, I would spend that money investigating those people. I would try to determine whether or not they were a terrorism threat before they got to the airport, or even if they had no intention of visiting an airport. I would try to prevent their plot regardless of whether it involved airplanes. I would clear the innocent people, and I would go after the guilty. I wouldn’t build a complex computerized infrastructure and wait until one of them happened to wander into an airport. It just doesn’t make security sense.
And that, of course, is without even looking at the second order effects of building the system, like “well, now that we have this nifty terrorist screening system, why don’t we also use it to track criminals, or suspected criminals, or…”. (Of course, Bruce mentions that issue as well.)
