From: InfoSec News (alertsinfosecnews.org)
Date: Fri Apr 04 2008 - 04:02:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.wired.com/politics/security/commentary/securitymatters/2008/04/securitymatters_0403

By Bruce Schneier
Security Matters
Wired.com
04.03.08

Security is both a feeling and a reality, and they're different. You can
feel secure even though you're not, and you can be secure even though
you don't feel it. There are two different concepts mapped onto the same
word . the English language isn't working very well for us here . and it
can be hard to know which one we're talking about when we use the word.

There is considerable value in separating out the two concepts: in
explaining how the two are different, and understanding when we're
referring to one and when the other. There is value as well in
recognizing when the two converge, understanding why they diverge, and
knowing how they can be made to converge again.

Some fundamentals first. Viewed from the perspective of economics,
security is a trade-off. There's no such thing as absolute security, and
any security you get has some cost: in money, in convenience, in
capabilities, in insecurities somewhere else, whatever. Every time
someone makes a decision about security . computer security, community
security, national security . he makes a trade-off.

People make these trade-offs as individuals. We all get to decide,
individually, if the expense and inconvenience of having a home burglar
alarm is worth the security. We all get to decide if wearing a
bulletproof vest is worth the cost and tacky appearance. We all get to
decide if we're getting our money's worth from the billions of dollars
we're spending combating terrorism, and if invading Iraq was the best
use of our counterterrorism resources. We might not have the power to
implement our opinion, but we get to decide if we think it's worth it.

Now we may or may not have the expertise to make those trade-offs
intelligently, but we make them anyway. All of us. People have a natural
intuition about security trade-offs, and we make them, large and small,
dozens of times throughout the day. We can't help it: It's part of being
alive.

Imagine a rabbit, sitting in a field eating grass. And he sees a fox.
He's going to make a security trade-off: Should he stay or should he
flee? Over time, the rabbits that are good at making that trade-off will
tend to reproduce, while the rabbits that are bad at it will tend to get
eaten or starve.

So, as a successful species on the planet, you'd expect that human
beings would be really good at making security trade-offs. Yet, at the
same time, we can be hopelessly bad at it. We spend more money on
terrorism than the data warrants. We fear flying and choose to drive
instead. Why?

The short answer is that people make most trade-offs based on the
feeling of security and not the reality.

I've written a lot about how people get security trade-offs wrong, and
the cognitive biases that cause us to make mistakes. Humans have
developed these biases because they make evolutionary sense. And most of
the time, they work.

Most of the time . and this is important . our feeling of security
matches the reality of security. Certainly, this is true of prehistory.
Modern times are harder. Blame technology, blame the media, blame
whatever. Our brains are much better optimized for the security
trade-offs endemic to living in small family groups in the East African
highlands in 100,000 B.C. than to those endemic to living in 2008 New
York.

If we make security trade-offs based on the feeling of security rather
than the reality, we choose security that makes us feel more secure over
security that actually makes us more secure. And that's what
governments, companies, family members and everyone else provide. Of
course, there are two ways to make people feel more secure. The first is
to make people actually more secure and hope they notice. The second is
to make people feel more secure without making them actually more
secure, and hope they don't notice.

The key here is whether we notice. The feeling and reality of security
tend to converge when we take notice, and diverge when we don't. People
notice when 1) there are enough positive and negative examples to draw a
conclusion, and 2) there isn't too much emotion clouding the issue.

Both elements are important. If someone tries to convince us to spend
money on a new type of home burglar alarm, we as society will know
pretty quickly if he's got a clever security device or if he's a
charlatan; we can monitor crime rates. But if that same person advocates
a new national antiterrorism system, and there weren't any terrorist
attacks before it was implemented, and there weren't any after it was
implemented, how do we know if his system was effective?

People are more likely to realistically assess these incidents if they
don't contradict preconceived notions about how the world works. For
example: It's obvious that a wall keeps people out, so arguing against
building a wall across America's southern border to keep illegal
immigrants out is harder to do.

The other thing that matters is agenda. There are lots of people,
politicians, companies and so on who deliberately try to manipulate your
feeling of security for their own gain. They try to cause fear. They
invent threats. They take minor threats and make them major. And when
they talk about rare risks with only a few incidents to base an
assessment on . terrorism is the big example here . they are more likely
to succeed.

Unfortunately, there's no obvious antidote. Information is important. We
can't understand security unless we understand it. But that's not
enough: Few of us really understand cancer, yet we regularly make
security decisions based on its risk. What we do is accept that there
are experts who understand the risks of cancer, and trust them to make
the security trade-offs for us.

There are some complex feedback loops going on here, between emotion and
reason, between reality and our knowledge of it, between feeling and
familiarity, and between the understanding of how we reason and feel
about security and our analyses and feelings. We're never going to stop
making security trade-offs based on the feeling of security, and we're
never going to completely prevent those with specific agendas from
trying to take care of us. But the more we know, the better trade-offs
we'll make.

-=-

Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear:
Thinking Sensibly About Security in an Uncertain World. You can read
more of his writings on his website.

___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]