Bruce Schneier: Security as a state of mind
Popular security researcher says security is also a feeling and therefore can't be quantified.
LAS VEGAS--Bruce Schneier, CTO of BT Counterpane, has been talking about the psychology of security for some time now. In his keynote address to Black Hat on Thursday morning, Schneier said that one simply cannot quantify security because it's also emotional. How we feel about security in a given situation can affect how secure we really are.
Schneier says we're all security consumers; as humans, we're constantly deciding how much time, money and effort we spend to feel secure. All animals do this. A rabbit faced with a predator has to decide whether to keep eating or simply run. Humans are both good and bad at this.
He cited several studies that show our decisions regarding the relative trade-offs aren't always logical. Schneier then talked about specific decisions we make around the severity of risk (life or death), the probability of a risk (it won't happen to me), and the magnitude of a risk (we overplay the risks when children are involved), the effectiveness of a risk (does it matter more whether I do A or B).
He also said that we tend to get these decisions wrong. Schneier said humans are better prepared for living in a hut on the African highlands in 1000 BC than for living in New York in 2007. Schneier ended his talk saying companies should spend more time working on improving the general perceptions surrounding security and not just the hardware and software they sell.