One of the most interesting and under-reported events at the recent RSA® Conference 2007 was the release of a paper by Bruce Schneier. Entitled "The Psychology of Security", the paper focuses not on how to make systems more secure, but on the plethora of variables that determine whether or not we feel secure as individuals. The paper is available at www.schneier.com/essay-155.html, and I encourage anyone with an interest in computer or any other kind of security to review it.

Besides being one of PGP Corporation's most trusted advisors, Bruce is one of the founding fathers of the computer security industry. When he takes the time to develop a paper of this depth, those of us in the security business tend to listen. The main thrust of the paper is that making people secure is only the first step in making them feel safe, and that a multitude of other factors completely unrelated to the relative security of any given system affect an individual's perception of just how safe he or she actually feels.

The good news here at PGP Corporation is that our approach to protecting confidential information is being validated in both the enterprise and vendor communities. The bad news is that as everyone jumps on the data protection bandwagon, the rising ambient noise level creates more confusion than clarity.

Bruce has identified four fields of research that impact this issue:

• Behavioral economics
• The psychology of decision-making
• The psychology of risk
• Neuroscience

I won't try to explain how these fields impact how secure or safe we each feel because Bruce does a great job of that in his paper. What's really interesting, according to Bruce, is that the way these variables interact makes human beings generally not very good at making security trade-offs. The classic example is that most people are much more afraid of dying while flying than while driving even though statistically they're 16 times more likely to die in an automobile than in an aircraft.

Bruce is threatening to turn "The Psychology of Security" into a book, and I personally hope he does. As an industry, we don't really understand the emotional and personal impact of the computer security systems we're now implementing. I'm convinced we can build more effective and cheaper security systems if people like Bruce spend time investigating how we make our ultimate customers feel more secure when using their computing and communications devices.

For a slightly different perspective on this topic, I also recommend checking out the work being done by John Mitchell and some colleagues at Stanford University. The work was summarized recently in The Economist, and there's also a detailed description available [PDF: 216KB]. Mitchell and his team have developed the concept of "contextual integrity", which basically proposes that people neither need nor expect complete privacy in all their interactions with the world around them. Originally developed by Helen Nissenbaum at NYU, the basis of contextual integrity is that most of us have no problem sharing personal information with other individuals and institutions—provided certain social and cultural norms are met in its use.

Normally, contextual integrity would be of interest only to sociologists, but Mitchell and his team are computer language experts. They've discovered a way to use the concept in machine language to express concepts as complex as U.S. privacy laws. It is this kind of research that will enable the computer industry to build the next generation of security and privacy systems.

- Phil