Assessing Risk

Psychology Today has an article on peoples ability to assess risk.

We substitute one risk for another.
Insurers in the United Kingdom used to offer discounts to drivers who purchased cars with safer brakes. “They don’t anymore,” says John Adams, a risk analyst and emeritus professor of geography at University College. “There weren’t fewer accidents, just different accidents.”
Why? For the same reason that the vehicles most likely to go out of control in snowy conditions are those with four-wheel drive. Buoyed by a false sense of safety that comes with the increased control, drivers of four-wheel-drive vehicles take more risks. “These vehicles are bigger and heavier, which should keep them on the road,” says Ropeik. “But police report that these drivers go faster, even when roads are slippery.”
Both are cases of risk compensation: People have a preferred level of risk, and they modulate their behavior to keep risk at that constant level. Features designed to increase safety—four-wheel drive, Seat belts, or air bags—wind up making people drive faster. The safety features may reduce risks associated with weather, but they don’t cut overall risk. “If I drink a diet soda with dinner,” quips Slovic, “I have ice cream for dessert.”

Its not much of a leap to see how this effects computer security.

  • I’m using a minority browser that brags about how secure it is. I guess I can browse where ever I want and click on anything.
  • I have a new security suite, it will detect anything bad that happens
  • The SMTP scanner hasn’t let through a virus yet, therefore I can open any attachment that comes in without consequence

The safety improvements in cars aren’t supposed to replace intelligent driving decisions. Security software provides layers of protection, it doesn’t replace informed choices.
Link originally seen at Schneier’s Bog