Subscribe
About

The trade-off of security

The concept of security as a trade-off is crucial to understanding the psychology of security.
By Bruce Schneier, Founder and the CTO of BT Counterpane Internet Security.
Johannesburg, 10 Apr 2007

Security is a trade-off. This is something I have written about extensively and it is a notion critical to understanding the psychology of security. There's no such thing as absolute security, and any gain in security always involves some sort of trade-off.

<B>ITWeb Security Summit 2007</B>

Taking place from 22 - 25 May 2007 at Vodaworld, ITWeb's Security Summit will bring together international and local IT and security professionals, practitioners, industry experts and analysts. Delegates will gain an understanding of the key tools, techniques and strategies needed to safeguard their organisations' most valuable asset - information. International security guru, Bruce Schneier, and creator of the PGP e-mail encryption protocol, Phil Zimmermann, will deliver the opening keynote addresses. Click here for booking information.

Security costs money, but it also costs in time, convenience, capabilities, liberties, and so on. Whether it's trading some additional home security against the inconvenience of having to carry a key around in your pocket and stick it into a door every time you want to get into your house, or trading some security against a particular kind of explosive terrorism on airplanes against the expense and time to search every passenger, all security is a trade-off.

I remember in the weeks after 9/11, a reporter asked me: "How can we prevent this from ever happening again?" "That's easy," I said, "simply ground all the aircraft."

It's such a far-fetched trade-off that we as a society will never make it. But in the hours after those terrorist attacks, it's exactly what we did. When we didn't know the magnitude of the attacks or the extent of the plot, grounding every airplane was a perfectly reasonable trade-off to make. And even now, years later, I don't hear anyone second-guessing that decision.

It makes no sense to just look at security in terms of effectiveness. "Is this effective against the threat?" is the wrong question to ask. You need to ask: "Is it a good trade-off?"

We make security trade-offs, large and small, every day. We make them when we decide whether we're going to pay for something via cheque, credit card, or cash. Most of the time we don't even realise we have done it, because we make security trade-offs intuitively.

Hopeless at trade

Yet at the same time we seem hopelessly bad at it. We get it wrong all the time. We exaggerate some risks while minimising others. We exaggerate some costs while minimising others. Even simple trade-offs we get wrong, wrong, wrong - again and again. A Vulcan studying human security behaviour would shake his head in amazement.

The truth is that we're not hopelessly bad at making security trade-offs. We are very well adapted to dealing with the security environment endemic to hominids living in small family groups on the highland plains of East Africa. It's just that the environment in New York in 2006 is different from Kenya circa 100 000 BC. And so our feeling of security diverges from the reality of security, and we get things wrong.

We make security trade-offs, large and small, every day. Most of the time we don't even realise we have done it, because we make security trade-offs intuitively.

Bruce Schneier is a founder and the CTO of BT Counterpane Internet Security

There are several specific aspects of the security trade-off that can go wrong. For example:

1. The severity of the risk.
2. The probability of the risk.
3. The magnitude of the costs.
4. How effective the countermeasure is at mitigating the risk.
5. How well disparate risks and costs can be compared.

The more your perception diverges with reality in any of these five aspects, the more your perceived trade-off won't match the actual trade-off.

If you think that the risk is greater than it really is, you're going to overspend. If you think the risk is real but only affects other people, you're going to under-spend. If you overestimate the costs of a countermeasure, you're less likely to apply it when you should, and if you overestimate how effective the countermeasure is, you're more likely to apply it when you shouldn't.

If you misevaluate the trade-off, you won't accurately balance the costs and benefits, but a lot of this can be chalked up to simple ignorance.

Bruce Schneier

Bruce Schneier is a headline speaker at the ITWeb Security Summit 2007, which takes place at Vodaworld from 22 to 25 May.

But I'm more interested in divergences between perception and reality that can't be easily explained. Why is it that, even if someone knows that automobiles kill 40 000 people each year in the US alone and airplanes kill only hundreds worldwide, they are more afraid of airplanes than automobiles? Why is it that, when food poisoning kills 5 000 people per year and 9/11 terrorists killed 2 973 people in only one year, are we spending tens of billions per year on terrorism defence and almost never think about food poisoning?

It's my contention that these irrational trade-offs can be explained by psychology. That something inherent in how our brains work makes us more likely to be afraid of flying than of driving, and more likely to want to spend money, time, and other resources mitigating the risks of terrorism than food poisoning. Moreover, that these seeming irrationalities have a good evolutionary reason for existing: they've served our species well in the past.

Understanding what they are, why they exist, and why they're failing us now is critical to understanding how we make security decisions. It's critical to understanding why, as a successful species on the planet, we make so many bad security trade-offs.

Share