22nd Large Installation System Administration Conference 2008, November 09-14, 2008, in San Diego, CA
by Bruce Schneider
Security is about trade-offs. Whether you get a burglar alarm depends on your sense of security. If you lock all your doors all the time, this is more secure, but it also makes your life more complex.
Living beings are naturally quite good at taking security decisions or they would have died out long ago. The problem comes when feeling and reality do not match up anymore. Our natural sense of security was developed millions of years ago. It does unfortunately not develop as fast as the world around us. So the intuitive reactions are optimized for small family groups in the east African highlands and not so much for live in modern day New York.
Interesting fact from Prospect Theory ... Experimental research shows that humans act like this:
|A sure gain of $500 - 84%||vs||A 50% gain of $1000|
|A sure loss of $500||vs||A 50% loss of $1000 - 70%|
These results are culturally invariant!
In many examples he shows that our probability judgment is quite flawed as soon as the problems become more complex.
There are two ways to approach security issues. You can make people feel more secure and you can make them really more secure and hope that they notice. Normally the approach of changing the feeling is simpler and more effective and also very sensible if the actual security is already established.
The challenge is to bring perceived and actual security closer together.
We have models about how the world is, these models are largely influenced by media, advertising, cultural background. We unconsciously use these models as a replacement for reality in addition to the feeling when taking decisions on security.d
Models can also change. Look at the model for the danger of smoking. Today you will find almost no one who will challenge the model that smoking kills you. all the same some people still smoke. It did take 40 years for the smoking model to change and this was not all that of a difficult model. The only way models can change fast, is with strong personal feelings like a mugging experience or events like 9/11 so called flash bulb moments.
In the technological world where reality changes daily we are basically lost when it comes to the speed at which we are able to adjust our models and intuition. It is not sufficient to focus on the reality. We have to take the people and their perception of security into the equation.
Often security measures do not make sense on a purely technical level. But they do make sens as 'Security Theater' to influence our perception of security.
Read Bruce Schneiders blog on http://www.schneier.com/