Monday, February 18, 2008

Feeling secure or not ... have posted an interesting short interview with Bruce Schneier, security guru and author of Applied Cryptography and Beyond Fear.

They point out that he highlights that there is usually a difference, sometimes a great one, between how secure we feel, and how secure we really are. I've added to the quote below a bit missing in the ZDNet article (highlighted):
“When something rare happens it's talked about endlessly. It's repeated again and again so our brains are fooled in to thinking it's or common because it's what psychologists call "available" -- the memories are more available. And one of our mental short cuts is to think of things that are more available as more common. So we might not phrase it that way, but we react as though terrorism or child kidnapping is more common than it really is, because the media endlessly repeats the rare thing.
I was discussing with some other parents this very issue the other day. We are all hyper-aware as parents of the potential for our children being snatched from us at the park or shops, and so we find ourselves placing boundaries for our children that we never had ourselves.

For example I remember as a 5 year old I was allowed to run around the local neighbourhood (we lived in a cul-de-sac) and playing in the banks of snow that snowploughs had pushed up on either side of the road (I lived in Toronto, Canada at the time). There is NO WAY I would allow my kids to do this now - for one thing a minor car accident could have resulted in a car plunging into our snow bank, and clobbering us in the process - I'm too aware of similar improbable events occurring. For example a local pre-school was recently hit by an out of control driver and several children were badly hurt.

However my parents weren't being bombarded with stories about that sort of thing, so they thought it reasonably safe letting me play on my own outside (although there was the time I got busted throwing overripe oranges at passing cars ... and one driver had his window open).

In reality the chances of my being wiped out by an out of control car were probably no greater in that snow bank than they were while crossing the road, or being driven to school in the family car (possibly greater as my Mum grew up in sunny Australia, and never much liked driving on icy roads).

The problem is that we make decisions based on emotions rather than pure logic, and that is no matter how coldly logical we try to be. 'Fear' is an emotional warning sign that lets us know when something bad could happen, but as Schneier points out it is biased towards events that we 'know' about, thus giving media stories an unwarranted weight in our decision making.

Schneier wants us all to talk different about real and felt (security) risks as he feels that the ambiguity of English (and many other languages) means that we help the process along:
“In effect we have two very different concepts mapped on the same word. And this makes a lot of conversations about the feeling and reality of security hard to have because our language fails us.”
In IT terms the problem is not so much the software as the hardware - we could remove the obfuscation by ensuring we always qualify our statements with a disclaimer as to whether we are talking about 'feeling' secure or 'being' secure. Our brains are built to respond to emotional triggers, when someone tells us something is true we use emotional cues (theirs and ours) to help us evaluate if that is really true.

[UPDATE: Fixed minor typo.]


  1. Anonymous10:51 pm

    The key is to use something that may be new to you: control adapters. These are little chunks of logic that you add to your web site to effectively "adapt" an Malayalam search engine ASP.NET control to render the HTML you prefer. The ASP.NET 2.0 CSS Friendly Control Adapters kit

  2. Thanks for the comment Anonymous. I'm unsure exactly what your point is however. Perhaps your comment got cut short? Please feel free to expand on your point ...