Perception vs. reality in security

LAS VEGAS ' As computers go, the human brain is not a very good one, says security researcher and consultant Bruce Schneier.

'People are a mess,' Schneier said in a keynote address Thursday at the Black Hat Briefings computing security conference. 'If you are looking for computer-like calculations in people, you are not going to find it.'

Schneier, a long-time security iconoclast who has railed against what he called security theater, which provides the illusion of security without the reality, cited a number of clinical studies of how humans perceive risk. The results shatter 'any hope that your brain is rational,' he said.

The traits found in these studies have a direct impact on how people select and use security controls in their lives and online.

The human mind is full of biases and shortcuts that allow it to work quickly and efficiently, but not always accurately, when assessing problems.

'A lot of security problems come when these shortcuts fail,' Schneier said. The mind seems to be optimized for making good decisions in small groups in a prehistoric veldt setting. 'In New York City, in 2007, not so good.'

'We are less good at big numbers,' he said. 'Your sense of probability at the high end falls apart.'

Biases include optimism ' the sense that something won't happen to me ' and a control bias that perceives less risk as long as I am the one in charge. Perceptions of probability are skewed by memory, and people also tend to remember the most extreme occurrences rather than the most common ones.

Schneier said this research has caused him to rethink his position on security theater.

'What the research shows is that security theater has a place,' he said. 'It makes people feel good.'

But to be useful, feelings of security should be aligned with the reality of security, so that a false sense of security is not created.

'We as a community need to spend a lot more time on how people perceive security,' he said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected