2012/05/01

The Security Mirage


Tonight we're discussing a TED talk by Bruce Shneier, called The Security Mirage.

Before we start, I want to ask:
How much time do you spend thinking about security in your life? The security of your house, vehicle, computer, children, your own person?
Do you have passwords on your electronic devices? Do you have locks on your doors? Do you have security bars on your windows? Do you lock your car when you leave it? Lock up your bike on the street? Text your taxi's number to a friend when you take one late at night? To what level do you feel you have to protect yourself from other people?

Do the presence of things like guards, police or soldiers make you feel more or less secure? How about scanners and other security machines in public places? Thick steel doors and window bars on a house? Are there any factors that would change your perception of safety or danger?

Feeling vs. Reality
"So security is two different things: it's a feeling, and it's a reality. And they're different. You could feel secure even if you're not. And you can be secure even if you don't feel it. Really, we have two separate concepts mapped onto the same word."

Trade offs
What do you trade off economically for security?
Example: "You've heard in the past several years, the world is safer because Saddam Hussein is not in power. That might be true, but it's not terribly relevant. The question is, was it worth it?"
How about some more simple examples. Do you double lock your hotel room door? Lock your car door? Eat at restaurants, night markets, fast food places? When is it worth it to be cautious, and when is caution a burden?

Biases in Risk Perception
Are we good at these trade offs? Bruce Schneier's answer is, we respond to the feeling of security and not the reality.
Some biases:
1. We tend to exaggerate spectacular and rare risks and downplay common risks -- flying versus driving.
2. The unknown is perceived to be riskier than the familiar. One example would be, people fear kidnapping by strangers (for children) when the data supports kidnapping by relatives is much more common.
3. Personified risks are perceived to be greater than anonymous risks -- so Bin Laden is scarier because he has a name.
4. And the fourth is people underestimate risks in situations they do control and overestimate them in situations they don't control. So once you take up skydiving or smoking, you downplay the risks. If a risk is thrust upon you -- terrorism was a good example -- you'll overplay it because you don't feel like it's in your control.
5. There's also the availability heuristic, which basically means we estimate the probability of something by how easy it is to bring instances of it to mind. If you hear a lot about tiger attacks, there must be a lot of tigers around. You don't hear about lion attacks, there aren't a lot of lions around.
This works until you invent newspapers. Because what newspapers do is they repeat again and again rare risks.
When something is so common that it's no longer news -- car crashes, domestic violence -- those are the risks you should really worry about.

Security Theater
Events/products that make people feel secure, but don't actually do anything. (e.g. airport security?)
Sometimes this term is used in more complex way as in: Events orchestrated to make us feel in danger by virture of the fact that someone is acting like they have to protect us.

Bruce Schneier says there are two ways to create a sense of security for people. "One, you can make people actually secure and hope they notice. Or two, you can make people just feel secure and hope they don't notice.
What makes people notice? Having enough real-world examples proving one or the other.
What makes people not notice? Not enough real world examples. Low-probablilty events. If, for example, terrorism almost never happens, it's really hard to judge the efficacy of counter-terrorist measures."

Models
Bruce Shneier says: "I want to add a third element: model. Feeling and model in our head, reality is the outside world. It doesn't change; it's real. So feeling is based on our intuition. Intuitive is just another word for familiar. Model is based on reason."

Are models necessarily better because they're not based on feelings?

"In a modern and complex world, you need models to understand a lot of the risks we face. There's no feeling about germs. You need a model to understand them. So this model is an intelligent representation of reality."

"Where do we get these models? We get them from others. We get them from religion, from culture, teachers, elders. Models can come from the media, from our elected officials. Think of models of terrorism, child kidnapping, airline safety, car safety. Models can come from industry.
The two I'm following are surveillance cameras, ID cards, quite a lot of our computer security models come from there. A lot of models come from science. Health models are a great example. Think of cancer, of bird flu, swine flu, SARS."

"Strong feelings can create a model. September 11th created a security model in a lot of people's heads. Also, personal experiences with crime can do it, personal health scare, a health scare in the news. You'll see these called flashbulb events by psychiatrists. They can create a model instantaneously, because they're very emotive."

"Intuitive is just another word for familiar."


So, lets talk about models.

What is safe in terms of what you eat? Is it risky to eat night-market food in Taipei? Is it risky to eat street stand food in Cambodia? Is it risky to eat fast food at a restaurant in the US?

What's our model for safety in travelling?
Is it 'safe' to take an airplane? To drive a car? To ride a scooter? To ride a bike? Which is the safest? What are the trade-offs?

What's our model for safety levels in a city? What's a 'safe' neighborhood in Taipei? What's a 'dangerous' one?
Are children at great risk of kidnapping in Taipei?
How likely are you to be raped by a stranger? How likely are you to be raped by someone you met on a night out, or by a relative?
Is it 'safe' for a woman to take a taxi home at night? Is it 'safe' for a man?


Do you have any flashbulb events that changed your model of what was safe instantly?


Security Models and Agenda
"We have feeling, model, reality. I have a very relativistic view of security. I think it depends on the observer. And most security decisions have a variety of people involved. And stakeholders with specific trade-offs will try to influence the decision. And I call that their agenda. And you see agenda -- this is marketing, this is politics -- trying to convince you to have one model versus another, trying to convince you to ignore a model and trust your feelings, marginalizing people with models you don't like."