People’s ability to assess risk is often affected by factors that seem irrational. Information security specialists should account for these tendencies when performing assessments and when creating infosec documentation. Here’s an example of one such irrationality, called the border bias.
Relying on Protection of a State Border Line
Arul Mishra and Himanshu Mishra published a study demonstrating that people believe that political state borders can protect against disasters. The researchers explored what makes people underestimate the risks of incidents. One of the factors, they found, was that state borders created the illusion of safety by separating the individuals from the disaster site:
"By perceiving state borders to be physical barriers that keep disaster at bay, people underestimate the severity of a disaster spreading from a different state, but not the severity of an equally distant disaster approaching from within a state."
The subjects in the study held the irrational belief that the presence of a political state border line could restrict disasters. As they result, they did not adequately incorporate into their risk assessment the actual physical distance to the potential disaster site.
In a follow-up study, described in a Scientific American article, the researchers found that the thickness of the border line on the map affected people’s reliance on the border for disaster protection. A light line between the states on the map seemed to increase people’s perception of risk, while a dark, thick line provided increased psychological protection.
Border Bias in Information Security
One way to look at the border bias in information security is to consider how security devices may provide the illusion of protection akin to that of state lines. For instance, border firewalls are often configured to allow too many protocols in and out of the corporate network. Similarly, network intrusion detection (NIDS) sensors might be deployed in a way that doesn’t let them look at traffic that might carry attacks (e.g., HTTPS). Merely because security technologies are in place, people will underestimate the risk of an intrusion, even though the tools might not provide meaningful protection.
Also, consider whether the way in which security diagrams are drawn persuades people to believe that the illustrated security architecture can provide protection. For instance, I wonder whether people will place more trust in a firewall if the diagram displays that device using a dark, hefty icon. This would mimic the finding that state borders are drawn using a thick line carry the illusion of increased protection.
If you found this interesting, take a look at my earlier note on why you may want to consider making your security policies harder to read.