Comments

Davi OttenheimerJanuary 17, 2005 11:22 AM

No date on the article?

The article sums your book, Beyond Fear, as: "people make security decisions based on perceived instead of actual risk"

This synopsis reminds me of David Hume the philosopher (1711-1776) who wrote that any claim of "objective fact" does not have necessary implications since we can easily think of a world in which such implications would not hold.

The usual subject I have heard used to help illustrate this theory is the humble doorknob. We can not really say we know how a doorknob "actually" turns until we have turned it. So what we might claim as "knowledge" or "reality" is often nothing more than habit or custom.

And so I agree with the argument attributed to you, but I wonder if there can be anything other than "perceived" risk to base forward-looking decisions, since "actual" risk would be our immediate experience or already in the past. The cause/effect of risk (R=AVT) might be based entirely in our own habits of thinking.

Perhaps you would agree that we do not drive our cars because we know the actual risks at every corner. Instead we are able to get from A to B because our experience tells us how to analyze and perceive the risks ahead, and then to choose a reasonable course of action. I suspect if we had to know "actual" risks before we could drive, we would never go anywhere.

Nigel SedgwickJanuary 17, 2005 11:55 AM

Two points on Davi Ottenheimer's comment:

(i) Surely the problem is wrong perception versus right perception; rather than the actually (which is unknown until later, as Davi points out).

(ii) With proposed security protections, often only the reduction in risk is seen (even when correctly perceived), and not the (non-security) downside of the protection. Thus one can be worse off overall with the protection than with no action, or with some other protection that offers somewhat less security improvement with much less downside.

Karl Tunnell-BraunJanuary 18, 2005 11:44 AM

Surely we are talking about theoretical vs. practical philosophy here. Everything is perceived; the only "real" threats that can be talked about in a practical manner are those which have a statistical foundation. Correct or incorrect perceptions are only determined, I think, by statistics on past events.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..