Last talk at #enigma2021 today is @iMeluny speaking about "DA DA: WHAT SHARK CONSERVATION TEACHES US ABOUT EMOTIONALITY AND EFFECTIVE COMMUNICATION STRATEGIES FOR SECURITY AND PRIVACY"
usenix.org/conference/eni…
usenix.org/conference/eni…
I dreamt of being a shark scientist and worked my ass off to get a scholarship to one of the top programs. My career took a loop, but to this day I find lessons from sharks for security and privacy.
Lessons:
Incidents are emotional
* Risks will never be zero
* Public is ill-informed and fear is common
* science-based policy is not the norn
Incidents are emotional
* Risks will never be zero
* Public is ill-informed and fear is common
* science-based policy is not the norn
Over the last several years I've been troubled by institutions using crisis as a governing strategy:
* Frequent or erratic policy changes
* Everything becomes a crisis
* Manipulation of public anxiety
* Control and protection for the powerful using /emotionality/
* Frequent or erratic policy changes
* Everything becomes a crisis
* Manipulation of public anxiety
* Control and protection for the powerful using /emotionality/
What is "emotionality"?
* how we experience and express emotions
* when exploited it can become a threat to effective communication and incident response
* emotions don't stand in isolation -- they're a manifestation of biases
* how we experience and express emotions
* when exploited it can become a threat to effective communication and incident response
* emotions don't stand in isolation -- they're a manifestation of biases
First fear:
* most people are afraid of sharks (but some places they're revered!)
* where they're feared it's hard for scientists to get good policy passed (just like in sec and priv)... because there's pressure to react immediately and thus make short-term decisions
* most people are afraid of sharks (but some places they're revered!)
* where they're feared it's hard for scientists to get good policy passed (just like in sec and priv)... because there's pressure to react immediately and thus make short-term decisions
Fear is a natural response:
* causes fight or fight to prepare for an emergency
* but closes off the ability to use good judgement
[ ... see also my PEPR talk about incident response. Hard agree. ]
* causes fight or fight to prepare for an emergency
* but closes off the ability to use good judgement
[ ... see also my PEPR talk about incident response. Hard agree. ]
Following shark bites political actors often choose policy responses which are designed to *appear* like a strong response but don't address the underlying causes.
... wow that sounds a lot like security and privacy
... wow that sounds a lot like security and privacy
Western Australia has operated one of the largest lethal-control programs in the world since 2012
* original criteria "imminent threat" had to be broadened to "threat"
* wasn't working and had impact on other sea life
* original criteria "imminent threat" had to be broadened to "threat"
* wasn't working and had impact on other sea life
"Summer of the shark" was created by media despite no increase of bites (or fatal bites), continued until 9/11 overtook it.
Parallel in security/privacy: law enforcement wanting backdoors into encryption, even when they ignore early warning signs. [the wording here is strong watch the talk!] Purposeful users of emotionality.
Would work better to rebuild public trust, put in place safeguards, address underlying causes.
These agencies use crisis to govern. The most momentum they get is after an incident. Using and inciting a crisis is how many political players move their agendas forward.
These agencies use crisis to govern. The most momentum they get is after an incident. Using and inciting a crisis is how many political players move their agendas forward.
Data breach and privacy enforcement
* hearings and grandstanding and screaming don't address the underlying issues
* use emotionality to label incidents and try to use them to move forward and manipulate agendas
* hearings and grandstanding and screaming don't address the underlying issues
* use emotionality to label incidents and try to use them to move forward and manipulate agendas
Leaders are eager to issue grand statements when startups aren't even required to do the bare minimum!
Incident response red flags
* militaristic style -- they demonstrate power without really understanding the appropriate subject matter
* lack of salience -- media narratives don't follow what is actually going on, but stoke public panic
* militaristic style -- they demonstrate power without really understanding the appropriate subject matter
* lack of salience -- media narratives don't follow what is actually going on, but stoke public panic
Political leaders fall back on the old crutch of emotionality, which leads to perception narrowing and ineffective enforcement
It's a series of knee-jerk reactions designed to protect the powerful, not actually solve problems.
What does work?
* South Africa organized a shark-spotting program after several attacks
* Early warning system at several beaches
* South Africa organized a shark-spotting program after several attacks
* Early warning system at several beaches
What was good?
* Proactive
* Community-based
* Real public service
* Provided access to the public of current and historical information
* Focus on reducing dangerous interactions
* Focused on strategic locations
* Proactive
* Community-based
* Real public service
* Provided access to the public of current and historical information
* Focus on reducing dangerous interactions
* Focused on strategic locations
Sharkspotter program is, to this day, one of the best of the world and we can use those strategies in our security and privacy programs.
[end of talk]
[end of talk]
• • •
Missing some Tweet in this thread? You can try to
force a refresh
