Feeling secure is different from being secure. Infosec professionals usually interpret this phrase as a reminder that we often merely pay lip service to security without actually taking measures to improve it. The inverse of the situation is also true: Being secure is often insufficient if the subject doesn’t feel secure.
Feeling Secure vs. Being Secure
In the essay In Praise of Security Theater, Bruce Schneier emphasized that “security is both a reality and a feeling.” He continued:
“The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. […] But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don’t feel secure, and you can feel secure even though you’re not really secure.”
Bruce brought up the example of RFID bracelets being placed on newborns to alert the hospital if the infant is abducted. The bracelets are used even though the chance of such incidents is very low. Yet, the “bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.” In this case, there’s a benefit to making people feel secure even if the measure does not address a meaningful risk. (You can listen to Bruce discuss this concept in his TED video below as well.)
The Importance of Feeling Secure
The feeling of security matters because humans sometimes make seemingly irrational decisions that have reasonable explanations, and also because sometimes emotions play a more significant role than logic. That’s what makes us human.
In the context of IT, even if you take actions that make the organization more secure, that might not be enough. You need to pay attention to making sure your actions also allow the relevant constituents to feel secure. The following examples where this can make a difference come to mind:
- A user of an anti-virus tool that is too quiet may assume that the tool is ineffective and switch to a competing product that makes the user feel more secure. If you have a great security tool, you need to find a way to make your that your users see the benefit.
- A corporation may have a CISO who is very effective at strengthening the company’s security posture and managing IT risks; however, the management may feel insecure unless the CISO captures the right metrics and offers meaningful reports.
- A client who commissioned an security assessment may have received competent service, but unless the deliverable offers a comprehensive review of the findings and methodology, the client may be feel unsatisfied with the engagement.
- A company may choose a service provider that they feel meets their security and compliance requirements based purely on polished sales interactions and marketing documents, regardless of the strength of the vendor’s actual security program.
Those are just a few examples that remind us not to underestimate the importance of not only being secure, but also feeling secure. These two concepts are distinct, yet interrelated. Both require your attention.