Jiri’s Notepad

… Bruce Schneier, 23rd April.

I missed the beginning but Schneider seems to pick up his train of thought where he finished last years on difference between feeling and reality of security. He’s talking about building a new conceptual model for security.

Simple concept: feeling<-> reality

Security is a trade-off – trade-off between security, cost, fashion, liberty, etc, and these tradeoffs are inherently personal. The people who make good decisions should improve their chance of survival (bit of a Darwin here). But unfortunately because of our evolutionary setup, we often make these decisions based on our feeling about security rather than the reality of security. This is because we as a species have developed to deal with risks in small social groups and are not well equipped to deal with risk in the world that is complex and dominated by technology and media.

There are interesting side effects of the concept of ‘feeling of security’: There are strong economic incentives to sell products / develop policies that make people feel secure rather than make them secure. How to fix this? What makes people notice that the feeling does not match reality? There are few ways - explanation, real world examples and data [NOTE JL- if only it was that simple]. What makes people not notice the difference? There are few factors - ignorance, not enough examples (definitely the case for low probability events) and emotions clouding the issue.

New concept: feeling-model-reality

Reason (based in neocortex) can override our fear (based on amygdala), effectively moving the feeling of security closer to the reality of security. Schneider thinks that better information & correct cognitive models can help with this . But the catch is that often we don’t create these models ourselves - because of the complexity of the world, we get them from media (e.g. terrorism) or science (e.g. global warming).

What complicates this picture are agendas of various parties working and shaping public and scientific opinions in the world. Different stakeholders have different agendas and often they try to manipulate -either the feeling or the generally accepted models. This is most often done through politics or marketing. Few examples of this are:

• Post 9-11 discussions in the US on protection for aircraft pilots that turned into decision making based on gun control arguments
• Smoking in the 50s was considered harmless, which changed both through scientific discovery and protracted marketing battles, until now smoking is considered harmful

How to make this work for us?
Most often we don’t have the skills to make the right decisions and so, we depend on others. This works if the people we depend on are the true experts. If we want to fix the gap between the feeling and reality, we have two options.

Firstly in the short term – we need to address the feelings and then in the longer run we need to move the widely used models closer to reality. This is something that is certainly possible, but lengthy: the change of opinion on smoking took decades, seatbelts took generation and these were easy models. Conceptually hard models take long time to become widespread and in some cases convergence of feeling and reality may not happen. And the thing is that we don’t know what will happen with security.

Addressing only reality of security is naïve. We need to work both on getting a good balance of feeling and reality. When dealing with the industry and society approaching security subjects, we should think about whether and how the various parties approach security reality, feeling and models.

Overall rating: 4/5 (Schneier is an articulate and intelligent speaker and I always can find time to listen to him. But the conclusion that we a) need better information and b) that we need to address the marketing/political aspects seems rather obvious).