Humans not evolved for IT security

Human beings aren't evolved for security in the modern world, and particularly the IT security world, according to security guru Bruce Schneier.

He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices.

"As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder."

Our brains evolved to deal with the reality of security, but emotional aspects also have a big role, he added. There are a number of such factors that prevent people from making the right security decisions. For instance:

• Exaggerate uncommon risks – for example, air travel is safer than cars but because car accidents are common they are seen as less risky
• Unknown risks – The unknown is always scary
• Personified risk – Osama Bin Laden is scarier than a faceless threat
• Involuntary risks – We overestimate the risks of situations where we have no control, like natural disasters
• Risks that could be controlled – The DC sniper caused a few deaths but the response was way out of proportion.

"In the technology industry we like to think we're computers, but we're not even close," he said.

"The brain is still in beta mode, it's got all sorts of patches and workarounds. It's not perfectly created, it's clearly evolved up."

Too often in the industry products appealed to people's emotions rather than addressing business facts and that was hurting the industry.