Essays in the Category "Psychology of Security"

Page 3 of 3

The Psychology of Security (Part 2)

  • Bruce Schneier
  • January 18, 2008

Return to Part 1

The Availability Heuristic

The “availability heuristic” is very broad, and goes a long way toward explaining how people deal with risk and trade-offs. Basically, the availability heuristic means that people “assess the frequency of a class or the probability of an event by the ease with which instances or occurrences can be brought to mind.”28 In other words, in any decision-making process, easily remembered (available) data are given greater weight than hard-to-remember data.

In general, the availability heuristic is a good mental shortcut. All things being equal, common events are easier to remember than uncommon ones. So it makes sense to use availability to estimate frequency and probability. But like all heuristics, there are areas where the heuristic breaks down and leads to biases. There are reasons other than occurrence that make some things more available. Events that have taken place recently are more available than others. Events that are more emotional are more available than others. Events that are more vivid are more available than others. And so on…

The Psychology of Security (Part 1)

  • Bruce Schneier
  • January 18, 2008


Security is both a feeling and a reality. And they’re not the same.

The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door-locking habits. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or in your home by a family member. Or how likely you are to be the victim of identity theft. Given a large enough set of statistics on criminal acts, it’s not even hard; insurance companies do it all the time…

The Evolutionary Brain Glitch That Makes Terrorism Fail

  • Bruce Schneier
  • Wired
  • July 12, 2007

Two people are sitting in a room together: an experimenter and a subject. The experimenter gets up and closes the door, and the room becomes quieter. The subject is likely to believe that the experimenter’s purpose in closing the door was to make the room quieter.

This is an example of correspondent inference theory. People tend to infer the motives—and also the disposition—of someone who performs an action based on the effects of his actions, and not on external or situational factors. If you see someone violently hitting someone else, you assume it’s because he wanted to—and is a violent person—and not because he’s play-acting. If you read about someone getting into a car accident, you assume it’s because he’s a bad driver and not because he was simply unlucky. And—more importantly for this column—if you read about a terrorist, you assume that terrorism is his ultimate goal…

Don't Look a Leopard in the Eye, and Other Security Advice

  • Bruce Schneier
  • Wired
  • May 31, 2007

If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don’t run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can’t climb trees. But don’t do that if you’re being chased by an elephant; he’ll just knock the tree down. Stand still until he forgets about you.

I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What’s interesting about this advice is how well-defined it is. The defenses might not be terribly effective—you still might get eaten, gored or trampled—but they’re your best hope. Doing something else isn’t advised, because animals do the same things over and over again. These are security countermeasures against specific tactics…

Virginia Tech Lesson: Rare Risks Breed Irrational Responses

  • Bruce Schneier
  • Wired
  • May 17, 2007

French translation

Everyone had a reaction to the horrific events of the Virginia Tech shootings. Some of those reactions were rational. Others were not.

A high school student was suspended for customizing a first-person shooter game with a map of his school. A contractor was fired from his government job for talking about a gun, and then visited by the FBI when he created a comic about the incident. A dean at Yale banned realistic stage weapons from the university theaters—a policy that was reversed within a day. And some teachers terrorized…

Psychology of Security

  • Bruce Schneier
  • Communications of the ACM
  • May 2007

The security literature is filled with risk pathologies, heuristics that we use to help us evaluate risks. I’ve collected them from many different sources.

Risks of Risks
Exaggerated Risks Downplayed Risks
Spectacular Pedestrian
Rare Common
Personified Anonymous
Beyond one’s control More under control
Externally imposed Taken willingly
Talked about Not discussed
Intentional or man-made Natural
Immediate Long-term or diffuse
Sudden Evolving slowly over time
Affecting them personally Affecting others
New and unfamiliar…

Why the Human Brain Is a Poor Judge of Risk

  • Bruce Schneier
  • Wired
  • March 22, 2007

The human brain is a fascinating organ, but it’s an absolute mess. Because it has evolved over millions of years, there are all sorts of processes jumbled together rather than logically organized. Some of the processes are optimized for only certain kinds of situations, while others don’t work as well as they could. There’s some duplication of effort, and even some conflicting brain processes.

Assessing and reacting to risk is one of the most important things a living creature has to deal with, and there’s a very primitive part of the brain that has that job. It’s the amygdala, and it sits right above the brainstem, in what’s called the medial temporal lobe. The amygdala is responsible for processing base emotions that come from sensory inputs, like anger, avoidance, defensiveness and fear. It’s an old part of the brain, and seems to have originated in early fishes…

In Praise of Security Theater

  • Bruce Schneier
  • Wired
  • January 25, 2007

Portuguese translation

While visiting some friends and their new baby in the hospital last week, I noticed an interesting bit of security. To prevent infant abduction, all babies had RFID tags attached to their ankles by a bracelet. There are sensors on the doors to the maternity ward, and if a baby passes through, an alarm goes off.

Infant abduction is rare, but still a risk. In the last 22 years, about 233 such abductions have occurred in the United States. About 4 million babies are born each year, which means that a baby has a 1-in-375,000 chance of being abducted. Compare this with the infant mortality rate in the U.S.—one in 145—and it becomes clear where the real risks are…

Sidebar photo of Bruce Schneier by Joe MacInnis.