One of the security industry's most outspoken experts, Bruce Schneier, spoke at RSA Conference on the topic of how security decisions and perceptions are often driven by irrational and subconscious motives in human beings.
The CTO at BT Counterpane, who is known for his talent in cryptography as well as his critical observations about technology use, Tuesday turned his attention to a different matter: an analysis of human behaviour in the face of risk-management decisions.
In Schneier's view, security managers need to be aware that they themselves, their business managers and their corporate user groups are likely to make critical security decisions based on barely acknowledged impressions of fear and irrational response, rather than a careful study of facts.
"Security is a tradeoff," Schneier said, speaking to a packed audience at his RSA session. "What are you getting for what you're giving up? Whether you make that tradeoff consciously or not, there is one."
He noted that probably no one in the audience was wearing a bullet-proof vest because no one thought the risk was worth it, especially given how uncomfortable and unfashionable it would appear. "We made these tradeoffs every day," Schneier said, adding every animal species does. In the world of business, human psychology plays a strong role in decisions about acquiring security defenses as well, he asserted.
Schneier based his presentation on his own study of tracts written in the fields of behavioral science, human psychology and university research about how people make choices. He said there's reason to believe that decision-making in security is much less rational than one would prefer.
There is a "feeling versus reality," Schneier said. "You can feel secure but not be secure. You can be secure but not feel secure."
The primitive portion of the brain, called the amygdala, feels fear and incites a fear-or-flight response, he pointed out. "It's very fast, faster than consciousness. But it can be overridden by higher parts of the brain."
The neocortex, which in a mammalian brain is associated with consciousness, is slower but "adaptive and flexible," designed to work toward confronting fear and making decisions to promote security, Schneier said.
The battle in the brain for rational response often plays out in ways that people "exaggerate risks that are spectacular, rare, beyond their control, talked about, international, man-made, immediate, directed against children or morally offensive," Schneier noted, pointing to lists of exaggerated and downplayed risks.
Among the downplayed risks are those that are "pedestrian, common, more under their control, not discussed, natural, long-term, evolving slowly or affecting others."
As part of his presentation, Schneier alluded to studies that show people often have an "optimism bias -- we tend to think we'll be luckier than the rest." He noted that psychology research into how people remember events shows that "vividness," or the most clearly remembered things, typically indicates the "worst memory is most available."
Other human psychology tendencies, such as "anchoring" -- a mental focus on suggested options that act to manipulate bias -- often trigger wholly non-rational response in decision-making.
In this psychology framework, according to Schneier, security managers should recognize that the responses to security risk by management and users, if not themselves, may be extraordinarily irrational.
"We make bad security tradeoffs when our feeling and our reality are out of whack," he said. "You can see vendors and politicians manipulating these biases."
The only advantage for security managers who understand these human inclinations regarding feeling and reality is that they can use "a little bit of well-placed security fear" that will help in security deployments or even "made people feel better."