Border Bias and Risk Perception in Information Security

People’s ability to assess risk is often affected by factors that seem irrational. Information security specialists should account for these tendencies when performing assessments and when creating infosec documentation. Here’s an example of one such irrationality, called the border bias.

Relying on Protection of a State Border Line

Arul Mishra and Himanshu Mishra published a study demonstrating that people believe that political state borders can protect against disasters. The researchers explored what makes people underestimate the risks of incidents. One of the factors, they found, was that state borders created the illusion of safety by separating the individuals from the disaster site:

“By perceiving state borders to be physical barriers that keep disaster at bay, people underestimate the severity of a disaster spreading from a different state, but not the severity of an equally distant disaster approaching from within a state.”

The subjects in the study held the irrational belief that the presence of a political state border line could restrict disasters. As they result, they did not adequately incorporate into their risk assessment the actual physical distance to the potential disaster site.

In a follow-up study, described in a Scientific American article, the researchers found that the thickness of the border line on the map affected people’s reliance on the border for disaster protection. A light line between the states on the map seemed to increase people’s perception of risk, while a dark, thick line provided increased psychological protection.

Border Bias in Information Security

One way to look at the border bias in information security is to consider how security devices may provide the illusion of protection akin to that of state lines. For instance, border firewalls are often configured to allow too many protocols in and out of the corporate network. Similarly, network intrusion detection (NIDS) sensors might be deployed in a way that doesn’t let them look at traffic that might carry attacks (e.g., HTTPS). Merely because security technologies are in place, people will underestimate the risk of an intrusion, even though the tools might not provide meaningful protection.

Also, consider whether the way in which security diagrams are drawn persuades people to believe that the illustrated security architecture can provide protection. For instance, I wonder whether people will place more trust in a firewall if the diagram displays that device using a dark, hefty icon. This would mimic the finding that state borders are drawn using a thick line carry the illusion of increased protection.

If you found this interesting, take a look at my earlier note on why you may want to consider making your security policies harder to read.

Lenny Zeltser


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more