Perception vs. reality in security

LAS VEGAS ' As computers go, the human brain is not a very good one, says security researcher and consultant Bruce Schneier.

'People are a mess,' Schneier said in a keynote address Thursday at the Black Hat Briefings computing security conference. 'If you are looking for computer-like calculations in people, you are not going to find it.'

Schneier, a long-time security iconoclast who has railed against what he called security theater, which provides the illusion of security without the reality, cited a number of clinical studies of how humans perceive risk. The results shatter 'any hope that your brain is rational,' he said.

The traits found in these studies have a direct impact on how people select and use security controls in their lives and online.

The human mind is full of biases and shortcuts that allow it to work quickly and efficiently, but not always accurately, when assessing problems.

'A lot of security problems come when these shortcuts fail,' Schneier said. The mind seems to be optimized for making good decisions in small groups in a prehistoric veldt setting. 'In New York City, in 2007, not so good.'

'We are less good at big numbers,' he said. 'Your sense of probability at the high end falls apart.'

Biases include optimism ' the sense that something won't happen to me ' and a control bias that perceives less risk as long as I am the one in charge. Perceptions of probability are skewed by memory, and people also tend to remember the most extreme occurrences rather than the most common ones.

Schneier said this research has caused him to rethink his position on security theater.

'What the research shows is that security theater has a place,' he said. 'It makes people feel good.'

But to be useful, feelings of security should be aligned with the reality of security, so that a false sense of security is not created.

'We as a community need to spend a lot more time on how people perceive security,' he said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected