Reality in Security

The Difference Between Feeling and Reality in Security by Bruce Schneier (WIRED)

If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that's what governments, companies, family members and everyone else provide. Of course, there are two ways to make people feel more secure. The first is to make people actually more secure and hope they notice. The second is to make people feel more secure without making them actually more secure, and hope they don't notice.

The key here is whether we notice.

Bruce Schneier wrote this article in 2008. Ten years later, I end up working in certain places that, in my opinion, make too many information security decisions based on FUD and feeling. They'll claim to make risk-based decisions. But the risks are based on one (or a few) person's feeling about risk.

Author: Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale.