Feeling secure is different from being secure. Cybersecurity professionals usually interpret this phrase as a reminder that enterprises often merely pay lip service to security without actually taking measures to improve it. The inverse of the situation is also true: Merely being secure is often insufficient if the subject doesn't feel secure.
Feeling Secure vs. Being Secure
In the essay In Praise of Security Theater, Bruce Schneier emphasized that "security is both a reality and a feeling." He explained:
"The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. […] But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don’t feel secure, and you can feel secure even though you’re not really secure."
Bruce brought up the example of RFID bracelets being placed on newborns to alert the hospital if the infant is abducted. The bracelets are used even though the chance of such incidents is very low. Yet, the "bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight." In this case, there’s a benefit to making people feel secure even if the measure does not address a meaningful risk.
You can listen to Bruce discuss this concept in his TED video below as well:
The Importance of Feeling Secure
The feeling of security matters because humans sometimes make seemingly irrational decisions that have reasonable explanations, and also because sometimes emotions play a more significant role than logic. That's what makes us human.
In the context of IT, even if you take actions that make the organization more secure, that might not be enough. You need to pay attention to making sure your actions also allow the relevant constituents to feel secure.
The following examples come to mind:
- A user of an overly quiet antimalware tool might assume that the tool is ineffective and switch to a product that makes the person feel more secure. Even if you have a great security tool, you need to find a way to make that its users recognize its benefits.
- A corporation may have a CISO who is very effective at strengthening the company’s security posture and managing IT risk; however, the management may feel insecure unless the CISO captures the right metrics and offers meaningful reports.
- A client who commissioned a security assessment may have received competent service. However, unless the deliverable includes a comprehensive review of the findings and methodology, the client may be feel unsatisfied.
- A company may select a security service provider that meets the firm's requirements based purely on polished sales interactions and marketing documents. Such collateral can make the prospect feel security, regardless of the vendor’s actual capabilities.
Those are just a few examples that remind us not to underestimate the importance of not only being secure, but also feeling secure. These two concepts are distinct, yet interrelated. Both require your attention.