Feeling Secure

“We respond to the feeling of security and not the reality. Most of the time that works…So it’s important for us, those of us who design security, who look at security policy, or even look at public policy in ways affect security [to realize that] it’s not just reality it’s feeling and reality. What’s important is that they be about the same. If our feelings match reality we make better security trade-offs.”

~ Bruce Schneier

Common cognitive biases related to risk perception:

• We tend to exaggerate spectacular and rare risks and downplay common risks
• The unknown is perceived to be riskier than the familiar
• Personified risks are perceived to be greater than anonymous risks
• People underestimate risks in situations they do control and overestimate them in situations they don’t control
• We estimate the probability of something by how easy it is to bring instances of it to mind [availability heuristic]
• We respond to stories more than data

Books by Bruce Schneier:

• Schneier on Security
• Beyond Fear
• Secrets and Lies
• Practical Cryptography