Infosecurity: Are we being manipulated into security decisions?
Security guru Bruce Schneider issued a call today for the security industry to wake up and understand the psychology of security.
Speaking at Infosec conference, Schneider said that too often security decisions are made without appreciating the underlying forces at work.
"I want people to think about security in terms of it's psychology, and to watch how media reports, politicians and companies try to use different methods to influence popular perceptions," said Schneider, founder and CTO, BT Counterpane.
"Do security products really make your business safer, or just make you think it's safer?" he asked delegates. "There is a lot of security theatre going on, where businesses sell products to make us feel better in the short term about security, but in many instances they make no difference to the real risk levels we face - like 'tamper proof' caps for example. These types of products rely on manipulating our feelings, which is slightly sneaky, but effective."
He also questioned whether people were capable of keeping up with a constantly changing technologically driven threat environment. "Are humans equipped to deal with this speed of change?" he asked "I'm not sure, I think the jury is still out..."
Schneider continued: "We all make security trade-offs, and yet, at the same time we seem hopelessly bad at it. We get it wrong all the time. We exaggerate some risks while minimizing others. We exaggerate some costs while minimizing others. The truth is that we're not bad at making security trade-offs. We are very well adapted to dealing with the security environment endemic to hominids living in small family groups on the highland plains of East Africa. It's just that the environment we live in now is different from Kenya circa 100,000 BC. And so our feeling of security diverges from the reality of security, and we get things wrong."