Perception vs. reality in security
- By William Jackson
- Aug 02, 2007
LAS VEGAS ' As computers go, the human brain is not a very good one, says security researcher and consultant Bruce Schneier.
'People are a mess,' Schneier said in a keynote address Thursday at the Black Hat Briefings computing security conference. 'If you are looking for computer-like calculations in people, you are not going to find it.'
Schneier, a long-time security iconoclast who has railed against what he called security theater, which provides the illusion of security without the reality, cited a number of clinical studies of how humans perceive risk. The results shatter 'any hope that your brain is rational,' he said.
The traits found in these studies have a direct impact on how people select and use security controls in their lives and online.
The human mind is full of biases and shortcuts that allow it to work quickly and efficiently, but not always accurately, when assessing problems.
'A lot of security problems come when these shortcuts fail,' Schneier said. The mind seems to be optimized for making good decisions in small groups in a prehistoric veldt setting. 'In New York City, in 2007, not so good.'
'We are less good at big numbers,' he said. 'Your sense of probability at the high end falls apart.'
Biases include optimism ' the sense that something won't happen to me ' and a control bias that perceives less risk as long as I am the one in charge. Perceptions of probability are skewed by memory, and people also tend to remember the most extreme occurrences rather than the most common ones.
Schneier said this research has caused him to rethink his position on security theater.
'What the research shows is that security theater has a place,' he said. 'It makes people feel good.'
But to be useful, feelings of security should be aligned with the reality of security, so that a false sense of security is not created.
'We as a community need to spend a lot more time on how people perceive security,' he said.
William Jackson is a Maryland-based freelance writer.