Psychology of Security
February 8, 2007 1:07 PM   Subscribe

The Psychology of Security. An essay by Bruce Schneier on the difference between the feeling of security and the reality of security. [Via MindHacks.]
posted by homunculus (25 comments total) 9 users marked this as a favorite

 
Schneier has some interesting stuff on computer security, but when it comes to risk assessment, he has this stridently ideological bent about what he sees as the irrationality of the general public that leads him to some strange conclusions. For example:
The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary...
The reality of security is indeed mathematical, but we can never actually calculate such probabilities because we will never have complete information. Burglary has been around long enough in more or less the same form that we might have reasonably good information, but terrorism and bird flu haven't. So what, then, is wrong with people being "more afraid of risks that are new than those they've lived with for a while"?
posted by transona5 at 1:31 PM on February 8, 2007


He talks a lot about "Security Theater" where people make a big show of security, but in reality, very little of it works. This is what Airline security consists of mostly. Make a big show of irritating people at the gate, and leave luggage racks unguarded.
posted by delmoi at 1:45 PM on February 8, 2007


Schneier is probably reason #1 for some sort of American technocracy.

transona5, that is a good point. Schneier gave a speech on risk-rewards calculations at my school a few years ago. He highlighted the fact that most of the time, these calculations are done completely ass backwards, even according to the limited information we have.
posted by muddgirl at 1:45 PM on February 8, 2007


Also, my first chance to post Bruce Schneier facts.
posted by muddgirl at 1:49 PM on February 8, 2007


The reality of security is indeed mathematical, but we can never actually calculate such probabilities because we will never have complete information.

What an absurd thing to say, The entire point of probability theory is to be able to calculate things without perfect information. If you had perfect information, the probability of everything would be either 0% or 100%.
posted by delmoi at 1:50 PM on February 8, 2007 [2 favorites]


Great article! (Though the construction of the FPP looks remarkably similar to mine. I keed!)
posted by ObscureReferenceMan at 1:58 PM on February 8, 2007


In fact, there are a few different philosophies about what the point of probability is.

If you had perfect information, the probability of everything would be either 0% or 100%.

Well, I suppose it depends on what you mean by "perfect information." You can have perfect information about the fairness of a coin (although not exactly what's going to happen next time you throw it in the air) and the probability of it coming up heads next time is still 50% (or whatever the bias of the coin is).
posted by transona5 at 1:58 PM on February 8, 2007


It looks like Schneier has performed a really nice synthesis here. This is a great introduction to a bunch of different ideas.
posted by mr_roboto at 2:22 PM on February 8, 2007 [1 favorite]


The reality of security is indeed mathematical, but we can never actually calculate such probabilities because we will never have complete information.

We will when science is done. Hurry up scientists!
posted by srboisvert at 2:24 PM on February 8, 2007


I had a long discussion with a friend and co-worker 10 years or so ago about how the perception of security without real security was worse than no security at all. If people assume things are not secure, they will at least take some measures to monitor their property, data, etc... Whereas, if they think things are secure when they are not, disaster is inevitable, and maybe undetectable.
posted by BrotherCaine at 2:31 PM on February 8, 2007 [2 favorites]


Yeah, the security theater thing really troubles me. By making a big production over how safe we are being kept in mundane things, like taking off shoes at the airport and preventing us from bringing shampoo onto a plane, we assume that the really big things that are out of site are also being guarded with the same amount of diligence.

And yet, when we investigate, we discover that only a fraction of shipping containers that come into our country are inspected, and that, despite our bluster to the contrary, our boarders are pretty porous. And last time I checked, the security around many important targets like nuclear plants and the like, hasn't really been changed from how it was on 09.10.2001.

I have no real fear of terrorists. I don't worry every day about how they are plotting to kill me and mine, because the odds on that happening are lower than me getting struck by lightning. Twice.

But based on what I read in the papers, I'm in a minority here. A lot of people apparently live in constant fear of these things. I don't know that the security theater helps them either, as it acts as a constant reminder that they have something to be afraid of, but IANAPsychologist. Perhaps these act as a placebo and keep those in fear placated. I don't know.

What I do know is that I would feel better about the big show if it meant that the more mundane actual dangers were being thoroughly investigated and acted upon. You know, things like improving road safety and survivability in the event of a auto accident. Sure it's not as gut wrenchingly flashy as protecting us from terrorism, but something that we are much more likely to actually need.
posted by quin at 4:03 PM on February 8, 2007 [4 favorites]


[I know I'm equating national security and terrorism with auto safety, which seems like an odd comparison, but statistically you are much more likely to be hurt or killed driving to work, than to be killed by a terrorist. I also know that they are in fact working at making the roads safer, but their efforts get none of the glitz of the Security Theater, so we don't hear about their successes, and their failures are considered unremarkable.]
posted by quin at 4:06 PM on February 8, 2007


Well, I suppose it depends on what you mean by "perfect information."

The word "information" has a specific meaning in statistics. Obviously what you mean depends on whether or not you know what the words you use denote. What you're talking about is knowing what the various random variables actually are.

Not to be flip, but this guy is one of the foremost experts on information security, the guy has written his own cryptographic algorithms and literally wrote the book on crypto. Yes, there is a difference between statistics and discreet math, but still. I think the guy understands mathematics pretty well.

Also the disagreement about the philosophical underpinnings of probability theory are about what it "means" in an epistemological sense, not about why it was created or what it's useful for.
posted by delmoi at 4:07 PM on February 8, 2007 [1 favorite]


I'm sure he understands mathematics very well. Nothing he said was mathematically wrong ("we can calculate the probability of..." is certainly correct in the sense he meant it). The problem is that he has failed to explain things like why people who are "more afraid of risks that are new than those they've lived with for a while" are acting irrationally. He gives West Nile virus as an example; New Yorkers were less concerned after it had been around for a couple years. Well, sure; if there were no cases of a disease ten years ago but there have been 100 cases every year after that, you know pretty much what you're dealing with. If there were no cases last year but 100 this year, there may well be 200 or 1000 next year.
posted by transona5 at 4:19 PM on February 8, 2007


transona5 writes "The problem is that he has failed to explain things like why people who are 'more afraid of risks that are new than those they've lived with for a while' are acting irrationally."

Does he ever say that that particular response is "irrational"?

I mean, it's certainly related to the availability heuristic, but it's also a rational response to treat the unknown as potentially dangerous. This is why Schneier says "...in the hours after [the Sept. 11th] terrorist attacks, [grounding all aircraft is] exactly what we did. When we didn't know the magnitude of the attacks or the extent of the plot, grounding every airplane was a perfectly reasonable trade-off to make. And even now, years later, I don't hear anyone second-guessing that decision."

This piece seems much more concerned with poor evaluations of security risks where we do have some knowledge.
posted by mr_roboto at 4:49 PM on February 8, 2007


Fascinating and stimulating post. Thanks homunculus.
posted by nickyskye at 4:53 PM on February 8, 2007


(Though the construction of the FPP looks remarkably similar to mine. I keed!)

Hey, it does! Kudos!
posted by homunculus at 4:56 PM on February 8, 2007


ell, sure; if there were no cases of a disease ten years ago but there have been 100 cases every year after that, you know pretty much what you're dealing with. If there were no cases last year but 100 this year, there may well be 200 or 1000 next year.

There may be, but we know there have been zero terrorist attacks since 9/11. We actually have quite a bit of data about how many terrorists there are out there, their capabilities, etc. If you have some evidence that a threat isn't growing, then it is irrational to think it might grow anyway.
posted by delmoi at 6:33 PM on February 8, 2007


(er, zero attacks in the US)
posted by delmoi at 6:33 PM on February 8, 2007


Yes, there is a difference between statistics and discreet math

...discreet math being the math I did during the lunch break, hidden away behind the library, while in high school?
posted by chudder at 6:35 PM on February 8, 2007 [3 favorites]


delmoi : There may be, but we know there have been zero terrorist attacks since 9/11.

Except for those pesky anthrax attacks that we never really followed up on...
posted by quin at 7:20 PM on February 8, 2007


He talks a lot about "Security Theater" where people make a big show of security, but in reality, very little of it works. This is what Airline security consists of mostly. Make a big show of irritating people at the gate, and leave luggage racks unguarded.

Yet no one compares this to how things were before. In the airline industry, no one wanted to implement new safety measures of any kind, because to do so would be to admit that there was a problem in the first place. People have shown their willingness to reward the illusion of safety and punish striving toward the reality in the same way that we punish politicians for admitting mistakes. Better to pretend you were always right.

People don't seem to realize the gains we've made in puncturing some very unhealthy attitudes toward safety. You Yanks should be thanking Y2K for all your new radar screens, and while no one will "thank" 9/11 for anything, it should be easier than ever now to promote a new safety feature by saying "we've fixed it; why haven't others?"

Assuming they actually want to earn public confidence through safety, not win that confidence through showy deception, which is where your "theatre" aspect comes in.
posted by dreamsign at 10:55 PM on February 8, 2007


Well, I suppose it depends on what you mean by "perfect information." You can have perfect information about the fairness of a coin (although not exactly what's going to happen next time you throw it in the air) and the probability of it coming up heads next time is still 50% (or whatever the bias of the coin is).

It would be nice if "unknown != random" was held as close to people's hearts as "correlation != causation".
posted by dreamsign at 11:04 PM on February 8, 2007


I think, therefore, I am. (secure)

Information security is a process, not an end product.
Providing information security involves balancing convenience with security.
Also the level of security required should correlate to the value of the informatin to be protected.
These things have nothing to do with making managers feel warm fuzzies about "security."
Bruce is de' man!
posted by nofundy at 6:06 AM on February 9, 2007


Why Smart Cops Do Dumb Things
posted by homunculus at 9:22 PM on February 22, 2007


« Older News Filter...  |  Adventure Time... Newer »


This thread has been archived and is closed to new comments