David Glynn takes an in-depth look at the psychology or risk and security, writing that how people feel about security is of the utmost importance if a security solution is to be effective.
It may be a cliché to say that what the security industry sells is peace of mind, but that’s only because it is true. Rather than services or products, customers and clients pay for the idea of security; in very many cases a physical response may never become necessary. So for security professionals, it is essential we understand the underlying psychology of what makes people feel secure.
In his 2000 essay ‘The Psychology of Security’, Bruce Schneier writes, “Security is both a feeling and a reality. And they’re not the same.” The reality of security is a mathematical probability, based on various risk factors combined with their various countermeasures. The feeling of security is based not on mathematical calculations but rather on psychological reactions to both risks and countermeasures.
It is relatively simple to calculate how secure any given home is from burglary using such factors as its neighbourhood crime rate, presence of security systems, the door- and window-locking habits of the occupants, etc. The likelihood of being murdered in the street by a stranger or in one’s home by a family member can also be calculated. So can the probability of identity theft, based on behavioural patterns.
These calculations are performed by insurance companies all of the time, and the actuarial data used to set premiums. But oftentimes, the feeling of security bears little or no relationship to these statistical probabilities.
Feeling Secure vs Being Secure
Many of us can probably remember being afraid of the dark as children, even though we were in a safe, secure family home. This is because fear is not always rational, or commensurate with the actual risk of harm, and the perception of risk varies from individual to individual.
One person may be deeply concerned about terrorism, and feel comforted by heightened airport security measures, while another may see them purely as an inconvenience. One person might feel they are at high risk of burglary, medium risk of murder, and low risk of identity theft. Meanwhile, their neighbour, in the exact same situation, might feel at a high risk of identity theft, medium risk of burglary, and low risk of murder.
Read this article in the digital edition:
To put it more generally, a person can be secure even if they don’t feel secure. And they might feel secure even though they are not. So, even though the feeling and reality of security are related, they are not the same thing. Says Schneier, “We’d probably be better off if we had two different words for them.” But it will be more useful to look at the psychological factors underlying the feeling of security, and see how they correlate to, and are affected by, statistical probabilities.
Fortunately, there have been numerous studies that, while not specifically addressing the concept of security, look deeply into the nature of risk, and our response to it.
Understanding the Feeling of Security
Over the millennia, human brains have developed complex mechanisms to deal with threats. Understanding how those mechanisms work, and how they fail, is critical to understanding the feeling of security, both intellectually and emotionally.
There are four fields of research which can shine a light on these questions. The first two – behavioural economics and the psychology of decision making – are closely related. The third is the psychology of risk, and the fourth is neuroscience itself, which studies the processes by which we actually think.
These fields have a lot to teach security practitioners, going a long way to explain where the divergence between the feeling and reality of security comes from, and how that manifests in behaviour. That way, we can create security systems by which a customer’s feelings about their own security is enhanced, rather than ignored.
To Understand Security, Understand Risk
As we have seen, the study or security is directly related to the psychology of risk, both actual and potential. So it is useful to outline a few general concepts that make up this psychology.
People exaggerate extreme but rare risks while downplaying common ones. They have trouble estimating risks in unfamiliar situations. They tend to overestimate risks that are under public discussion. People underestimate the risks they take voluntarily, while overestimating risks in situations outside of their control. Finally, personified risks are perceived to be greater than anonymous ones.
Yet we can reduce the psychology of risk even further, if we wish, to encompass just two basic principles. One, most people are less afraid of a risk they feel they have some control over, like driving, and more afraid of a risk they don’t control, like flying, even though one is demonstrably safer than the other. And two, most people will forego potential gains rather than risk losing what they already have.
This second principle is of profound importance for practitioners. In the main, security systems are designed to protect those things that customers and clients already possess: their family, their wealth, their possessions and their own physical and mental well-being. With regards to wealth, the principle is illustrated perfectly by something called Prospect Theory, as demonstrated in the following experiment.
In it, subjects were divided into two groups. One group was given the choice of these two alternatives:
- Alternative A: A sure gain of $500.
- Alternative B: A 50% chance of gaining $1,000.
The other group was given the choice of:
- Alternative C: A sure loss of $500.
- Alternative D: A 50% chance of losing $1,000.
In traditional economics, what is called “utility theory” predicts that people will make a straightforward calculation between relative gains and losses, and then choose accordingly.
In the experiment, both groups could choose between commensurate gains or losses of+$500 and –$500, i.e. both choices had the same utility.
Psychologically, some people are risk takers while others will prefer a sure thing. Still, the theory predicts that people will choose alternatives A and C with the same probability and alternatives B and D with the same probability. The fact that one is gains and the other losses does not reflect the mathematics. Therefore, it should not affect the results. And yet it does.
When faced with a gain, 84% of subjects chose Alternative A (the sure gain) of $500 over Alternative B (the risky gain). But when faced with a loss, 70% chose Alternative D (the risky loss) over Alternative C (the sure loss).
To explain the difference, the researchers developed what they called “prospect theory.” Unlike utility theory, prospect theory recognises that human beings respond differently to the prospects of gains or losses. For most people, a small sure gain is better than the prospect of risky larger gain, hence the old saying, “A bird in the hand is worth two in the bush.” But when it comes to losses, the reverse holds true: most people will risk the prospect of a greater loss when faced with a guaranteed smaller one.
Similar experiments have been conducted where the potential outcomes were commensurate, but the language used to define them differed; people made their choices based solely whether the outcome is presented as a gain or a loss.
The commonality is that all of these choices represent a trade-off, and the trade-off is a fundamental notion when it comes to understanding the psychology of security.
There is no such thing as absolute security; any increase in security necessarily requires some sort of trade-off in cost, convenience or freedom. Not having one’s house broken into is worth the trade-off of paying for a security system and ensuring all the doors and windows are locked when you go out.
People make such security trade- offs, both large and small, every day deciding whether to lock the when they are just popping into the dairy, or purchasing something from an untrustworthy website because it’s cheap. Often we make these trade-offs intuitively, without thinking, because our brains have evolved over millions of years to quickly assess potential threats and respond accordingly.
Assessing and reacting to risk is one of the most important things a living creature has to deal with. The part of the brain that performs this function is called the amygdala, which processes sensory input into base-level emotions such as fear, anger and avoidance, and then compels the body to act on them through the use of adrenaline and other hormones.
The fight-or-flight and other physiological responses these hormones produce were invaluable in ensuring the survival of early humans. But as the brain’s higher functions evolved, the ability to learn and to reason overlaid them with more complicated critical faculties. And though risk assessment still happens automatically and unconsciously all of the time, it is more often acted upon by the conscious mind deciding what trade-offs it is prepared to make.
We could say that the security trade-off is governed by the following factors:
- the severity of the risk;
- the probability of the risk;
- the magnitude of the costs;
- how effective the countermeasure is at mitigating the risk, and;
- how well disparate risks and costs can be compared.
As security professionals, it is our job to assess these criteria for our customers and clients, and use this assessment to create products and services that balance the necessary trade-offs. To do that, we must ensure that perception does not diverge too far from reality in any of these five areas—this way the perceived trade-off will match the actual trade-off.
For example, if we think the risk is greater than it is, we may spend too much on mitigating that risk. Overestimating the cost of a countermeasure may mean we hesitate to employ it where we should, and so on. And if we incorrectly evaluate the trade-off, we cannot accurately balance the costs and benefits.
Balance Is the Key
One of the things we must contend with when making such assessments is understanding how the perception of the risk often does not match the reality of the risk, both in our clients and ourselves. We all know that flying is safer than driving by orders of magnitude, and yet flying makes us nervous, where driving usually doesn’t.
This is because perceptions are often governed by psychological processes which are not wholly rational. Most people are less afraid of a risk they choose to take than of a risk imposed on them. For most people, the fear a risk entails reduces if that risk also offers benefits they desire. People are more afraid of being murdered by a stranger than by a family member, even though the latter is far more common. And no- one is concerned about risks that they do not know exist, even though such risks may be very real.
Very rarely do we evaluate security trade-offs purely mathematically, analysing the probabilities of different events. Rather we use a combination of experience, intuition and rules of thumb, along with shortcuts, stereotypes and biases. With these, we are able to evaluate the probability of future events, consider the necessary costs, and decide which trade-offs we are prepared to make.
We often think of security in terms of “effectiveness,” whether a particular security measure is effective in achieving a given end. Bullet-proof vests are effective in stopping bullets, but for most of us, wearing one constantly is not a good trade-off.
What our customers want is that we provide them with the best security trade-offs—ones that offer genuine security for a reasonable cost—such that their feelings of security match the reality of security.
We have all heard the term “security theatre” used to describe palliative, often even illusory methods that only make people feel more secure. But in a certain way, all security is theatre, in that it both represents and reacts to a reality which is constantly being written. Those who seek to be protected by it must believe that what they see reflects the real world they live in. Those who we seek to prevent from doing harm must also be convinced that that security systems represent a real impediment. Either way, how people feel about security is of the utmost importance if it is to be effective.