Subscribe
Sectors
Companies
About

Making sense of the perception of security

Sometimes we have all the information needed and still make bad security trade-offs.
By Bruce Schneier, Founder and the CTO of BT Counterpane Internet Security.
Johannesburg, 02 May 2007

I began my Industry Insight series by teasing apart the security trade-off, and listing five areas where perception can diverge from reality:

1. The severity of the risk.
2. The probability of the risk.
3. The magnitude of the costs.
4. How effective the countermeasure is at mitigating the risk.
5. The trade-off itself.

Sometimes in all the areas, and all the time in area four, we can explain this divergence as a consequence of not having enough information. But sometimes we have all the information and still make bad security trade-offs. My aim was to give you a glimpse of the complicated brain systems that make these trade-offs, and how they can go wrong.

<B>ITWeb Security Summit 2007</B>

Taking place from 22 - 25 May 2007 at Vodaworld, ITWeb's Security Summit will bring together international and local IT and security professionals, practitioners, industry experts and analysts. Delegates will gain an understanding of the key tools, techniques and strategies needed to safeguard their organisations' most valuable asset - information. International security guru, Bruce Schneier, and creator of the PGP e-mail encryption protocol, Phil Zimmermann, will deliver the opening keynote addresses. Click here for booking information.

Of course, we can make bad trade-offs in anything: predicting what snack we'd prefer next week, not being willing to pay enough for a beer on a hot day. But security trade-offs are particularly vulnerable to these biases because they are so critical to our survival. Our brain heuristics for dealing with security are old and well-worn, and our amygdales are even older.

What is new, from an evolutionary perspective, is human society, and the new security trade-offs that come with it. In the past I have singled out technology and the media as two aspects of modern society that make it particularly difficult to make good security trade-offs. Technology, by hiding detailed complexity so that we don't have the right information about risks, and the media by producing such available, vivid and salient sensory input.

But the issue is really broader than that.

Understanding the process

The neocortex, the part of our brain that has to make security trade-offs, is, in the words of Daniel Gilbert, "still in beta testing".

How do we get people to recognise that they need to question their default behaviour? Giving them more information seems not to be the answer; we're already drowning in information, and these heuristics are not based on a lack of information.

Perhaps by understanding how our brains process risk, and the heuristics and biases we use to think about security, we can learn how to override our natural tendencies and make better security trade-offs. Perhaps we can learn how not to be taken in by security theatre, and how to convince others not to be taken in by the same.

The neocortex, the part of our brain that has to make security trade-offs, is, in the words of Daniel Gilbert, "still in beta testing".

Bruce Schneier is a founder and the CTO of BT Counterpane Internet Security

The evil way is to focus on the feeling of security at the expense of the reality. In his book, Influence, Robert Cialdini makes the point that people can't analyse every decision fully; it's just not possible: people need heuristics to get through life.

Cialdini discusses how to take advantage of that; an unscrupulous person, corporation, or government can similarly take advantage of the heuristics and biases we have about risk and security. Concepts of prospect theory, framing, availability, representativeness, affect, and others are key issues in marketing and politics. They're applied generally, but in today's world they're more and more applied to security.

Perception versus reality

After all my reading and writing, I believe that my good way of using research is impossible, and that the evil way is unacceptable. But I also see a third way: integrating the feeling and reality of security.

<B>Bruce Schneier</B>

Bruce Schneier is a headline speaker at the ITWeb Security Summit 2007, which takes place at Vodaworld from 22 to 25 May.

The feeling and reality of security are different, but they're closely related. We make the best security trade-offs - and by that I mean trade-offs that give us genuine security for a reasonable cost - when our feeling of security matches the reality of security. It's when the two are out of alignment that we get security wrong.

In the past I've criticised palliative security measures that only make people feel more secure, as "security theatre". But used correctly, they can be a way of raising our feeling of security to more closely match the reality of security.

One example is the tamper-proof packaging that started to appear on over-the-counter drugs in the 1980s, after a few highly publicised random poisonings. As a countermeasure, it didn't make much sense. It's easy to poison many foods and over-the-counter medicines right through the seal, with a syringe, for example, or to open and reseal the package well enough that an unwary consumer won't detect it. But the tamper-resistant packaging brought people's perceptions of the risk more in line with the actual risk: minimal. And for that reason the change was worth it.

Of course, security theatre has a cost, just like real security. It can cost money, time, capabilities, freedoms, and so on, and most of the time the costs far outweigh the benefits.

And security theatre is no substitute for real security.

Furthermore, much security theatre will raise people's feeling of security to a level greater than the reality, which is also bad. But used in conjunction with real security, a bit of well-placed security theatre might be exactly what we need to both be and feel more secure.

Share