Security Trade-Offs: When Feelings Diverge From Reality
Every day, we make decisions based on security risks. This can be as simple as whether we lock our front door or what method of payment we use when making a purchase. Sometimes, we understand that our feeling of security is not the same thing as the reality of security – we may understand that our neighborhood has very little crime, an assessment that can be proven through data, and we may lock our door anyway. Conversely, there are scenarios where we may feel secure even though we’re not. We all know that best practices for cybersecurity dictate using complex passwords, but we may decide that using our dog’s name as a password for every account we have feels secure enough.
Security technologist and Harvard lecturer Bruce Schneier describes these as “security trade-offs.” In his essay titled “The Psychology of Security,” he explains that every gain in security results in a trade-off, whether that be trading convenience, time, or even liberties. To most of us, carrying a key around and using it when we want to open our front door is a minor trade-off compared to the possibility of our home being burglarized. The hassle of having to pass through a TSA checkpoint pales in comparison against the idea of an airplane hijacking.
A recent Los Angeles Time article noted that Beverly Hills, while having a lower crime rate than most of the country, had still made drastic investments in a security program. The city now has one video surveillance camera for every seventeen residents – a ratio on par with Beijing. The article quotes Hannah Zhao, a staff attorney with the Electronic Frontier Foundation, who cautions: “Any discussions about the trade-offs between efficiency and security and people’s civil liberties should involve the community.” Some feel that the City of Beverly Hills has miscalculated security trade-offs to the point of violating its citizens’ privacy.
Where We Miscalculate Security Trade-Offs
Schneier points out that humans are terrible at calculating security trade-offs. “As a successful species on the planet, humans should be really good at making security trade-offs. And yet, at the same time we seem hopelessly bad at it,” he writes. “We exaggerate some risks while minimizing others. We exaggerate some costs while minimizing others… our feeling of security diverges from the reality of security, and we get things wrong.”
In his view, there are five aspects of the security trade-off that we tend to miscalculate:
- The severity of the risk. If we believe the security risk to be greater than it really is, we will spend more money or time than necessary to mitigate the risk.
- The probability of the risk. If we believe the security risk is real but that it won’t affect us, we will spend less money or time than necessary to mitigate the risk.
- The magnitude of the costs. If we overestimate the cost of a countermeasure against the security risk, we’re less likely to apply it when we should.
- How effective the countermeasure is at mitigating the risk. If we underestimate the cost of a countermeasure against the security risk, we’re more likely to apply it when we shouldn’t.
- How well disparate risks and costs can be compared. If we evaluate the trade-off incorrectly, we won’t accurately assess the cost versus the benefit.
“The more your perception diverges from reality in any of these five aspects, the more your perceived trade-off won’t match the actual trade-off,” Schneier explains. Can we get better at matching perception to reality? Shad McPheters, General Manager of the Americas at Milpitas, Calif.-based Northland Controls, shares his thoughts on how we can evaluate security trade-offs more effectively.
1. The Severity of the Risk
Risks are determined through data and events but also based on human experience, McPheters notes, so the interpretation of those risks will always have a human element to them. “If I owned a home on a rural farm in Indiana for example, one might suggest that the potential security risks there might be much less than owning a home in the worst neighborhood of a major city,” he says.
“I could review crime rates, watch the news, or maybe even witness or experience a crime to conclude what level of security should be incorporated in my home. However, if I had been robbed on my farm, I may incorporate a much higher level of security at my personal residence than even may be recommended for a residence in a bad neighborhood of a major city.”
The risk severity in this case would differ significantly from a farmer that had been robbed and a farmer in Indiana that had not been robbed. “If one invests $50,000 to protect their property and the other invests $0, who’s to say that one is right over the other?” McPheters asks. It’s impossible to apply a fixed rate to peace of mind.
2. The Probability of the Risk
Risk probability is a major factor in any security decision, but sometimes security operations across multiple locations lose efficiency when adhering to corporate standards. McPheters speaks to the challenges faced by security organizations tasked with protecting the assets of large corporations.
“Large corporations most often look internally to the value of the assets they are protecting versus the outside influences that could potentially damage, steal, or destroy those assets and make their security decisions on that basis,” he notes.
“They put their offices, factories, and data centers in the places where they will be able to generate the most revenue for their organizations, not necessarily in what they perceive to be the safest locations. So, the challenge for the security organizations within these corporations is to mitigate the risks of these assets and these facilities, no matter the probability of the perceived risks. This is most often done by developing corporate security standards that apply to all their facilitates, not just the facilities that are in reported high-risk locations.” In this way, the probability of the security risk can become divorced from the security implemented to prevent the risk.
3. The Magnitude of the Costs
“Money talks and will always be a factor in security mitigation.” McPheters says. “In my mind, it could make sense to spend $1,000 on an intricate device to lock up a bicycle to prevent it from being stolen if the bicycle is only worth $500. For many others, it would not make sense. This is a contributing factor to why some great ideas in security have never been fully developed because for many, the costs outweigh the value. The important factor is understanding the value of what is being protected before proposing security solutions to protect assets.”
4. How Effective the Countermeasure Is
It’s hard to evaluate the effectiveness of a security measure if the security measure is working, McPheters points out. “If you put a bolt lock on your front door because you heard someone broke into your neighbor’s house, how do you measure your success? Is it successful because no one breaks into your house for six months after that? Is it effective because someone tries to break in, but is unsuccessful? Is it measured only if someone tries and is successful so it can be called an unsuccessful countermeasure? Or maybe the potential robber walks by and sees that there is a bolt lock so just keeps on walking and doesn’t even try? Maybe the installation was an overreaction because of the break-in at the neighbor’s and no one ever would have tried breaking into your house even if you had not put a lock on the door.
” The reality is that there is no way to find out. “Much of this has to be left to individual organizations to determine what level of risk they are willing to tolerate and what level of investment they want to make.”
5. How Well Disparate Risks and Costs Can Be Compared
McPheters is insistent on this one: “They can’t be!” he exclaims. “In one scenario, a paddle lock and chain on a front gate might work just as well as cameras, electronic access control and floodlights. I think this is the argument for developing security standards within an organization so that the organization is happy to make the investment, regardless of the results. They know that they are protecting the assets of the organization to the level that is accepted by the organization, while understanding the potential risks for the investment.”
6. Balancing Feeling and Reality
Schneier concludes, “We make the best security trade-offs—and by that I mean trade-offs that give us genuine security for a reasonable cost—when our feeling of security matches the reality of security. It’s when the two are out of alignment that we get security wrong.” So how can we begin to even the balance and match the feeling on an equal level to the reality?
“I keep going back to establishing acceptable standards and understanding the potential risks and costs that may still be present after implementing those standards,” McPheters muses.
“On a personal level, the standard may be to keep your front door unlocked during the day to make sure no one is locked out of the house. You may review the local crime reports and decide that there is little risk in doing such a thing in the neighborhood you live in. Similarly, companies have to determine what level of risk they are willing to tolerate based on both the emotional and financial costs of that risk level. Wherever possible, look to data to make as informed and rational a decision as possible, such as data from a thoughtful and thorough risk analysis by a third party.”
McPheters recommends, “We all have to recognize that there is a strong personal element to security standards as an individual or in the workplace.” While it’s impossible to remove human emotion from security decisions, trying to find the proper balance between the feeling of security and the reality of security can help us make better decisions and smarter trade-offs.