Bruce at INFOSec Europe

I was lucky enough to listen to Bruce Schneier speaking at INFOSec Europe on Wednesday last week. He spoke about the mismatch between ‘security’ and ‘feelings’. In that often how we feel does not equate to the reality. For example at the airports they remove liquids during the security check, it makes us feel more secure, but in reality doesn’t make much -if any- difference to how secure we actually are. In effect we make security trade-offs based upon how safe we feel. The ability to make this trade-off accurately is can be distorted by media hype. The fact is the ‘feeling’ comes from the instinctive part of our brain, and the ability to be able to rationalize distinguishes us from animals as human beings.

This brings us onto ‘models’. You know society models that we have grown up with and accepted as fact. Models are created by human beings and are based on facts. These facts can actually become an integrital part of how we feel. For example one model created by the tobacco companies in former times was that smoking was healthy, this model has changed over the last 30 years to the converse. Changing this model took time, and was painful for many, especially the tobacco companies 🙂

The unknown is scarey, and it seems to be we have a tendency to overestimate the impact of involuntary risks (e.g. earthquakes, airplane crashes), and to the converse, underestimate voluntary risks (e.g. smoking that is a choice).

Security Theatre (snake oil) is the name given to those products that make you feel more secure, even though in reality they don’t do anything. Although we need these sometimes. One example in the US was the introduction of the safety cap on over-the-counter drugs. There was an incident whereby one bottle became contaminated by some (mentally sick) person. The consequence was a death. This type of incident happening is extremely rare, however over-the-counter drugs would have never made it further without the introduction of the safety cap as consumer confidence had been lost.

So to summerise: the most successful security products manipulate ‘models’ and ‘feelings’ even though they may not necessarily match ‘reality’.