[Infowarrior] - Schneier: The Feeling and Reality of Security

[Richard Forno]

The Feeling and Reality of Security

http://www.wired.com/politics/security/commentary/securitymatters/2008/04/se
curitymatters_0403


Security is both a feeling and a reality, and they're different. You can
feel secure even though you're not, and you can be secure even though you
don't feel it. There are two different concepts mapped onto the same word --
the English language isn't working very well for us here -- and it can be
hard to know which one we're talking about when we use the word.

There is considerable value in separating out the two concepts: in
explaining how the two are different, and understanding when we're referring
to one and when the other. There is value as well in recognizing when the
two converge, understanding why they diverge, and knowing how they can be
made to converge again.

Some fundamentals first. Viewed from the perspective of economics, security
is a trade-off. There's no such thing as absolute security, and any security
you get has some cost: in money, in convenience, in capabilities, in
insecurities somewhere else, whatever. Every time someone makes a decision
about security -- computer security, community security, national security
-- he makes a trade-off.

People make these trade-offs as individuals. We all get to decide,
individually, if the expense and inconvenience of having a home burglar
alarm is worth the security. We all get to decide if wearing a bulletproof
vest is worth the cost and tacky appearance. We all get to decide if we're
getting our money's worth from the billions of dollars we're spending
combating terrorism, and if invading Iraq was the best use of our
counterterrorism resources. We might not have the power to implement our
opinion, but we get to decide if we think it's worth it.

Now we may or may not have the expertise to make those trade-offs
intelligently, but we make them anyway. All of us. People have a natural
intuition about security trade-offs, and we make them, large and small,
dozens of times throughout the day. We can't help it: It's part of being
alive.

Imagine a rabbit, sitting in a field eating grass. And he sees a fox. He's
going to make a security trade-off: Should he stay or should he flee? Over
time, the rabbits that are good at making that trade-off will tend to
reproduce, while the rabbits that are bad at it will tend to get eaten or
starve.

So, as a successful species on the planet, you'd expect that human beings
would be really good at making security trade-offs. Yet, at the same time,
we can be hopelessly bad at it. We spend more money on terrorism than the
data warrants. We fear flying and choose to drive instead. Why?

The short answer is that people make most trade-offs based on the feeling of
security and not the reality.

I've written a lot about how people get security trade-offs wrong, and the
cognitive biases that cause us to make mistakes. Humans have developed these
biases because they make evolutionary sense. And most of the time, they
work.

Most of the time -- and this is important -- our feeling of security matches
the reality of security. Certainly, this is true of prehistory. Modern times
are harder. Blame technology, blame the media, blame whatever. Our brains
are much better optimized for the security trade-offs endemic to living in
small family groups in the East African highlands in 100,000 B.C. than to
those endemic to living in 2008 New York.

If we make security trade-offs based on the feeling of security rather than
the reality, we choose security that makes us feel more secure over security
that actually makes us more secure. And that's what governments, companies,
family members and everyone else provide. Of course, there are two ways to
make people feel more secure. The first is to make people actually more
secure and hope they notice. The second is to make people feel more secure
without making them actually more secure, and hope they don't notice.

The key here is whether we notice. The feeling and reality of security tend
to converge when we take notice, and diverge when we don't. People notice
when 1) there are enough positive and negative examples to draw a
conclusion, and 2) there isn't too much emotion clouding the issue.

Both elements are important. If someone tries to convince us to spend money
on a new type of home burglar alarm, we as society will know pretty quickly
if he's got a clever security device or if he's a charlatan; we can monitor
crime rates. But if that same person advocates a new national antiterrorism
system, and there weren't any terrorist attacks before it was implemented,
and there weren't any after it was implemented, how do we know if his system
was effective?

People are more likely to realistically assess these incidents if they don't
contradict preconceived notions about how the world works. For example: It's
obvious that a wall keeps people out, so arguing against building a wall
across America's southern border to keep illegal immigrants out is harder to
do.

The other thing that matters is agenda. There are lots of people,
politicians, companies and so on who deliberately try to manipulate your
feeling of security for their own gain. They try to cause fear. They invent
threats. They take minor threats and make them major. And when they talk
about rare risks with only a few incidents to base an assessment on --
terrorism is the big example here -- they are more likely to succeed.

Unfortunately, there's no obvious antidote. Information is important. We
can't understand security unless we understand it. But that's not enough:
Few of us really understand cancer, yet we regularly make security decisions
based on its risk. What we do is accept that there are experts who
understand the risks of cancer, and trust them to make the security
trade-offs for us.

There are some complex feedback loops going on here, between emotion and
reason, between reality and our knowledge of it, between feeling and
familiarity, and between the understanding of how we reason and feel about
security and our analyses and feelings. We're never going to stop making
security trade-offs based on the feeling of security, and we're never going
to completely prevent those with specific agendas from trying to take care
of us. But the more we know, the better trade-offs we'll make.

This article originally appeared on Wired.com.