Stefan Schumacher is head of the Magdeburg Institute for Security Research and is currently running a research programme about the psychology of security. At AusCERT 2014, he told the audience that Edward Snowden's NSA leaks have removed any lingering doubts about a totalitarian surveillance of the Internet.
Intelligence agencies monitor not only the Internet but also try to hack into specific computers install backdoors. He questioned whether and how we could provide security in a post NSA era. Rather than relying on "idle, unwilling and incompetent politicians", he says it's time we started to act as hackers.
"Let's assume there is an adversary before us with almost unlimited resources," said Schumacher. "How do we have to change how security works and what research has to be done?"
Schumacher's approach looked at a number of different disciplines such as psychology and cybernetics. However, he questioned one of the cornerstones of all security.
Trust, according to Schumacher, needs to be more deeply explicated and defined. Much of our security is founded upon some degree of trust. Everyone needs to trust the sysadmin. The sysadmin trusts operating system developers. Developers trust compilers who trust the operating systems they run on.
Given that ladder of trust – Schumacher asked the audience if they could trust systems they rely on. A consequence of this is that we need to develop and new model of IT security. It has to move beyond being a purely technical field. "Discussing the 31337th buffer overflow of the week won't fix fundamental problems," he said.
His view was that we need to develop and extend IT security into the broader discipline of Information Security. This would include psychology, sociology, educational science and didactics and operationalise security so that it became measurable.
Psychology, in Schumacher's view, is critical because information security is as much as human science as a technical one.
"Security is a latent social construct and has to be treated as such," he said. "Psychological and sociological methods and tools are required. If the security of a system is to be enhanced, a diagnosis, prognosis and intervention is required".
The process of security requires making decisions. Schumacher pointed out that we all make decisions based on our experiences and the environment we are in. Consequently, he contended that it's not just a good idea to consider psychology within the study of security but that it's required.
"Psychology is the only science able to research the basic fundamentals of security," he said.
Thus far, much of the focus of information security has been on tools rather than specific behavioural analyses. The trouble with this approach, in Schumacher's view, is that tools can create complacence in users. He cited the example of taxi drivers in Germany who switched vehicles, en masse from the older Wolga vehicle to Mercedes.
The older cars lacked many of the safety features we all take for granted in modern cars. However, when drivers switched to the newer, safer vehicle the accident rate increased markedly. Similarly, it's critical to look at user behaviour rather than simply layering more tools as a way of thwarting bad actors.