In this excellent interview, Schneier talks about how we human primates tend to evaluate risk, and why we’re often so bad at it.
Here’s the boilerplate intro to Schneier’s philosophy:
In Beyond Fear, Schneier presents a set of questions to rationally assess the security process, in other words, how to get beyond fear:
Step 1: What assets are you trying to protect?
Step 2: What are the risks to those assets?
Step 3: How well does the security solution mitigate those risks?
Step 4: What other risks does the security solution cause?
Step 5: What costs and trade-offs does the security solution impose?
And finally: Is the countermeasure worth it?
Easy enough, but why are people so bad at it?
Central to the trade-off decision is a concept of risk, and people’s perceptions of risk rarely match the reality of risk. Like the DC sniper example, people simply don’t understand the true extent of the risk, and thus either trade off too much or too little.
There are lots of psychological studies that shed a light on this phenomenon. In Beyond Fear, I talk about five common fallacies:1. People exaggerate spectacular but rare risks, and downplay common risks.
2. The unknown is perceived to be riskier than the familiar.
3. Personified risks are perceived to be greater than anonymous risks.
4. People overestimate involuntary risks: risks in situations they can’t control.
5. People overestimate risks that they can’t control but think they should.
What this means in real life is:
As animals, we make security trade-offs based on our immediate environment. We do it either through instinct or through intelligence, and the bias in either case is toward survival.
Unfortunately, there are two aspects of modern society that throw this all out of whack. The first is technology. Our security intuition evolved in a world where nothing ever changed. Fear of the new made a lot of sense in that kind of world. But the pace of today’s technology means that things change all the time. Look at the Internet: every week there’s a new attack tool, a new vulnerability, a new danger….
The interview is somewhat long and far ranging, but still remarkably clear and practical. Anyone concerned with evaluating risk should read it.
OK, no more Gibson or Schneier fanboy stuff for a while.
