[ISN] The Difference Between Feeling and Reality in Security

From: InfoSec News (alerts@private)
Date: Fri Apr 04 2008 - 01:02:34 PST


http://www.wired.com/politics/security/commentary/securitymatters/2008/04/securitymatters_0403

By Bruce Schneier   
Security Matters
Wired.com
04.03.08

Security is both a feeling and a reality, and they're different. You can 
feel secure even though you're not, and you can be secure even though 
you don't feel it. There are two different concepts mapped onto the same 
word . the English language isn't working very well for us here . and it 
can be hard to know which one we're talking about when we use the word.

There is considerable value in separating out the two concepts: in 
explaining how the two are different, and understanding when we're 
referring to one and when the other. There is value as well in 
recognizing when the two converge, understanding why they diverge, and 
knowing how they can be made to converge again.

Some fundamentals first. Viewed from the perspective of economics, 
security is a trade-off. There's no such thing as absolute security, and 
any security you get has some cost: in money, in convenience, in 
capabilities, in insecurities somewhere else, whatever. Every time 
someone makes a decision about security . computer security, community 
security, national security . he makes a trade-off.

People make these trade-offs as individuals. We all get to decide, 
individually, if the expense and inconvenience of having a home burglar 
alarm is worth the security. We all get to decide if wearing a 
bulletproof vest is worth the cost and tacky appearance. We all get to 
decide if we're getting our money's worth from the billions of dollars 
we're spending combating terrorism, and if invading Iraq was the best 
use of our counterterrorism resources. We might not have the power to 
implement our opinion, but we get to decide if we think it's worth it.

Now we may or may not have the expertise to make those trade-offs 
intelligently, but we make them anyway. All of us. People have a natural 
intuition about security trade-offs, and we make them, large and small, 
dozens of times throughout the day. We can't help it: It's part of being 
alive.

Imagine a rabbit, sitting in a field eating grass. And he sees a fox. 
He's going to make a security trade-off: Should he stay or should he 
flee? Over time, the rabbits that are good at making that trade-off will 
tend to reproduce, while the rabbits that are bad at it will tend to get 
eaten or starve.

So, as a successful species on the planet, you'd expect that human 
beings would be really good at making security trade-offs. Yet, at the 
same time, we can be hopelessly bad at it. We spend more money on 
terrorism than the data warrants. We fear flying and choose to drive 
instead. Why?

The short answer is that people make most trade-offs based on the 
feeling of security and not the reality.

I've written a lot about how people get security trade-offs wrong, and 
the cognitive biases that cause us to make mistakes. Humans have 
developed these biases because they make evolutionary sense. And most of 
the time, they work.

Most of the time . and this is important . our feeling of security 
matches the reality of security. Certainly, this is true of prehistory. 
Modern times are harder. Blame technology, blame the media, blame 
whatever. Our brains are much better optimized for the security 
trade-offs endemic to living in small family groups in the East African 
highlands in 100,000 B.C. than to those endemic to living in 2008 New 
York.

If we make security trade-offs based on the feeling of security rather 
than the reality, we choose security that makes us feel more secure over 
security that actually makes us more secure. And that's what 
governments, companies, family members and everyone else provide. Of 
course, there are two ways to make people feel more secure. The first is 
to make people actually more secure and hope they notice. The second is 
to make people feel more secure without making them actually more 
secure, and hope they don't notice.

The key here is whether we notice. The feeling and reality of security 
tend to converge when we take notice, and diverge when we don't. People 
notice when 1) there are enough positive and negative examples to draw a 
conclusion, and 2) there isn't too much emotion clouding the issue.

Both elements are important. If someone tries to convince us to spend 
money on a new type of home burglar alarm, we as society will know 
pretty quickly if he's got a clever security device or if he's a 
charlatan; we can monitor crime rates. But if that same person advocates 
a new national antiterrorism system, and there weren't any terrorist 
attacks before it was implemented, and there weren't any after it was 
implemented, how do we know if his system was effective?

People are more likely to realistically assess these incidents if they 
don't contradict preconceived notions about how the world works. For 
example: It's obvious that a wall keeps people out, so arguing against 
building a wall across America's southern border to keep illegal 
immigrants out is harder to do.

The other thing that matters is agenda. There are lots of people, 
politicians, companies and so on who deliberately try to manipulate your 
feeling of security for their own gain. They try to cause fear. They 
invent threats. They take minor threats and make them major. And when 
they talk about rare risks with only a few incidents to base an 
assessment on . terrorism is the big example here . they are more likely 
to succeed.

Unfortunately, there's no obvious antidote. Information is important. We 
can't understand security unless we understand it. But that's not 
enough: Few of us really understand cancer, yet we regularly make 
security decisions based on its risk. What we do is accept that there 
are experts who understand the risks of cancer, and trust them to make 
the security trade-offs for us.

There are some complex feedback loops going on here, between emotion and 
reason, between reality and our knowledge of it, between feeling and 
familiarity, and between the understanding of how we reason and feel 
about security and our analyses and feelings. We're never going to stop 
making security trade-offs based on the feeling of security, and we're 
never going to completely prevent those with specific agendas from 
trying to take care of us. But the more we know, the better trade-offs 
we'll make.

-=-

Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear: 
Thinking Sensibly About Security in an Uncertain World. You can read 
more of his writings on his website.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Apr 04 2008 - 01:13:54 PST