Back in 2008, Bruce Schneier wrote an article in Wired about the security mindset. In it he wrote:
This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.
I’ve often speculated about how much of this is innate, and how much is teachable. In general, I think it’s a particular way of looking at the world, and that it’s far easier to teach someone domain expertise — cryptography or software security or safecracking or document forgery — than it is to teach someone a security mindset.
He was very sure that mindset is a good thing:
That part’s obvious, but I think the security mindset is beneficial in many more ways. If people can learn how to think outside their narrow focus and see a bigger picture, whether in technology or politics or their everyday lives, they’ll be more sophisticated consumers, more skeptical citizens, less gullible people….
There’s nothing magical about this particular university class; anyone can exercise a security mindset simply by trying to look at the world from an attacker’s perspective. If I wanted to evade this particular security device, how would I do it? Could I follow the letter of this law but get around the spirit? If the person who wrote this advertisement, essay, article or television documentary were unscrupulous, what could he have done? And then, how can I protect myself from these attacks?
The security mindset is a valuable skill that everyone can benefit from, regardless of career path.
In practice, not everyone seems to agree with that last sentence. One person’s “careful and thorough” is another person’s “inconvenient and unnecessary,” when they don’t share the same picture of reality.
This case is extreme but illustrative. It’s taken from the book Even Paranoids Have Enemies: New Perspectives on Paranoia and Persecution:
Dinora Pines (1995) describes her experience with a patient from Russia who had given his KGB companion the slip when he was brought to London. The patient appeared to her to be obsessed by his fantasies about Baba Yar. He never gave her his home address or telephone number and always seemed to slip into his sessions in a shadowy and haunted manner. Pines’s patient did not arouse any emotional response in her and she felt bored, only subsequently realizing that she was in the presence of a person whose main internal difficulty was a “falseness”, a tendency to disallow emotional engagement and closeness. Her non-existent feelings towards him troubled her, keeping her thinking about his internal world until one day external reality erupted in her consulting room. After the murder of a Bulgarian dissident in Oxford Street, her patient disappeared. She never heard another word about him until she was shocked to read an obituary about him in the local newspaper. Pine writes:
I feel very guilty about my previous indifference towards him, and my irritation with him for what seemed to be illogical precautions as to his safety. Yet it also seemed to me, with hindsight, that he was right and I was totally wrong about his reality.
Her patient’s past life experience differed enormously from hers and matters were further complicated by their cultural differences and his own psychological difficulties in being honest and open with those, such as his analyst, whom he perceived to be in a position of authority.
Thankfully, most of us don’t need to worry about anything like the KGB killing us with ricin pellets shot from an umbrella. But these things do happen.
Those of us who aren’t dealing with Advanced Persistent Threats still have enemies on the internet, but we aren’t defenseless. WhiteHat Security can help with reducing your organization’s attack surface, but there are lots of things everyone can do to make their online lives safer (and a little bit less convenient). You can think of our Web Security for the Tech Impaired series as Security Mindset 101.