The Importance of Feeling Secure

Feeling secure differs from being secure—both matter. Users may abandon effective but quiet security tools, CISOs need compelling metrics and reports even when doing excellent work, and clients need comprehensive deliverables to feel satisfied with security assessments.

Feeling secure is different from being secure. Cybersecurity professionals usually interpret this phrase as a reminder that enterprises often merely pay lip service to security without actually taking measures to improve it. The inverse of the situation is also true: Merely being secure is often insufficient if the subject doesn’t *feel *secure.

Feeling Secure vs. Being Secure

In the essay In Praise of Security Theater, Bruce Schneier emphasized that “security is both a reality and a feeling.” He explained:

“The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. […] But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don’t feel secure, and you can feel secure even though you’re not really secure.”

Bruce brought up the example of RFID bracelets being placed on newborns to alert the hospital if the infant is abducted. The bracelets are used even though the chance of such incidents is very low. Yet, the “bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.” In this case, there’s a benefit to making people *feel *secure even if the measure does not address a meaningful risk.

You can listen to Bruce discuss this concept in his TED video below as well:

The Importance of Feeling Secure

The feeling of security matters because humans sometimes make seemingly irrational decisions that have reasonable explanations, and also because sometimes emotions play a more significant role than logic. That’s what makes us human.

In the context of IT, even if you take actions that make the organization more secure, that might not be enough. You need to pay attention to making sure your actions also allow the relevant constituents to feel secure.

The following examples come to mind:

A user of an overly quiet antimalware tool might assume that the tool is ineffective and switch to a product that makes the person feel more secure. Even if you have a great security tool, you need to find a way to make that its users recognize its benefits.

A corporation may have a CISO who is very effective at strengthening the company’s security posture and managing IT risk; however, the management may feel insecure unless the CISO captures the right metrics and offers meaningful reports.

A client who commissioned a security assessment may have received competent service. However, unless the deliverable includes a comprehensive review of the findings and methodology, the client may be feel unsatisfied.

A company may select a security service provider that meets the firm’s requirements based purely on polished sales interactions and marketing documents. Such collateral can make the prospect feel security, regardless of the vendor’s actual capabilities.

Those are just a few examples that remind us not to underestimate the importance of not only being secure, but also feeling secure. These two concepts are distinct, yet interrelated. Both require your attention.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →