How to Think Better About Security

Humans naturally tend to exaggerate or underestimate modern risks, argues cybersecurity guru Bruce Schneier in a draft paper on the psychology of security posted last month.

Humans downplay familiar risks but inflate those that are not so familiar. We are much more frightened of spectacular risks such as terrorism than more pedestrian security risks such as food poisoning, even though the latter risk kills far more Americans per year than terrorism. (Click view image to see Schneier's table of typically exaggerated and downplayed risks.)

We react to exaggerated risks with palliatives, which Schneier calls “security theater” that make people feel more secure but can block actual security improvements. If the theater is coupled with real improvements, that’s good; if not, it’s dangerous, Schneier writes. Do removing our shoes for screening at airports and carrying onboard no more than 3 ounce liquid containers make us any safer versus other actions?

“Perhaps by understanding how our brains process risk, and the heuristics and biases we use to think about security, we can learn how to override our natural tendencies and make better security trade-offs,” Schneier concludes.