Schneier on Security
A blog covering security and security technology.
« Safecracking |
| Microsoft RC4 Flaw »
January 17, 2005
This article from SIGNAL has some interesting quotes by me.
Posted on January 17, 2005 at 8:00 AM
• 3 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
No date on the article?
The article sums your book, Beyond Fear, as: "people make security decisions based on perceived instead of actual risk"
This synopsis reminds me of David Hume the philosopher (1711-1776) who wrote that any claim of "objective fact" does not have necessary implications since we can easily think of a world in which such implications would not hold.
The usual subject I have heard used to help illustrate this theory is the humble doorknob. We can not really say we know how a doorknob "actually" turns until we have turned it. So what we might claim as "knowledge" or "reality" is often nothing more than habit or custom.
And so I agree with the argument attributed to you, but I wonder if there can be anything other than "perceived" risk to base forward-looking decisions, since "actual" risk would be our immediate experience or already in the past. The cause/effect of risk (R=AVT) might be based entirely in our own habits of thinking.
Perhaps you would agree that we do not drive our cars because we know the actual risks at every corner. Instead we are able to get from A to B because our experience tells us how to analyze and perceive the risks ahead, and then to choose a reasonable course of action. I suspect if we had to know "actual" risks before we could drive, we would never go anywhere.
Two points on Davi Ottenheimer's comment:
(i) Surely the problem is wrong perception versus right perception; rather than the actually (which is unknown until later, as Davi points out).
(ii) With proposed security protections, often only the reduction in risk is seen (even when correctly perceived), and not the (non-security) downside of the protection. Thus one can be worse off overall with the protection than with no action, or with some other protection that offers somewhat less security improvement with much less downside.
Surely we are talking about theoretical vs. practical philosophy here. Everything is perceived; the only "real" threats that can be talked about in a practical manner are those which have a statistical foundation. Correct or incorrect perceptions are only determined, I think, by statistics on past events.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.