The psychology of security Matúš Madzin April 28, 2010 Introduction o psychology in different way • trade-off o examples o conclusion o subjective view & discussion Trade-off There is nothing such as an absolute security. Security involves some sort of trade-off. Questions: o Is this effective again ...? o Is it a good trade-off? Example: bulletproof vest, house security system Security is a balance between cost and benefits. Conventional Wisdom About Risk Most people are more afraid of risk that o is new than old (viruses) o is man-made than natural (radiation of nuclear waste x sun) is imposed than chose (pollution in workplace x smoking) • doesn't bring benefits (living in San Francisco, Los Angeles) can kill them in awful ways (being eaten by a shark) Conventional Wisdom About Risk II personified x anonymous beyond their control x under their control talked about x not discussed man-made x natural affecting them personally x affecting others new or unfamiliar x familiar uncertain x well understood directed against their children x directed towards themselves □ & - = Risk and the Brain emotional x logical aspects example: window story conclusion: bad experience — not logical decision Risk Heuristics prospect theory cost heuristics o heuristics that affect decisions Prospect Theory Experiment: o Alternative A: A sure gain of $500 o Alternative B: A 50% chance of gaining $1000 o Alternative C: A sure loss of $500 o Alternative D: A 50% chance of losing $1000 Prospect Theory Experiment: o Alternative A: A sure gain of $500 o Alternative B: A 50% chance of gaining $1000 o Alternative C: A sure loss of $500 o Alternative D: A 50% chance of losing $1000 Theory: A and C same probability. Experiment: 84% A, 70% D Prospect Theory II Experiment: o Program A: 200 people will be saved o Program B: There is a one-third probability that 600 people will be saved, and o two-thirds probability that no people will be saved o Program C: 400 people will die o Program D: There is a one-third probability that nobody will die, and a two-thirds probability that 600 people will die Prospect Theory II Experiment: o Program A: 200 people will be saved o Program B: There is a one-third probability that 600 people will be saved, and o two-thirds probability that no people will be saved o Program C: 400 people will die Program D: There is a one-third probability that nobody will die, and a two-thirds probability that 600 people will die Theory: exactly same chances Experiment: 72% choose A over B, 78% choose D over C Cost Heuristics Experiment: o Trade-off 1: Imagine that you have decided to see a play where the admission is $10 per ticket. As you enter the theater you discover that you have lost a $10 bill. Would you still pay $10 for a ticket to the play? o Trade-off 2: Imagine that you have decided to see a play where the admission is $10 per ticket. As you enter the theater you discover that you have lost the ticket. The sat is not marked and the ticket cannot be recovered. Would you pay $10 for another ticket? Cost Heuristics Theory: same cases Experimental: o Trade-off 1: 88% said they would buy the ticket anyway o Trade-off 2: 46% said they would buy a second ticket Heuristics that Afect Decisions If you want your boss to approval your $1M security budget. Set of options: $250K, $500K, $1M $500, $1M, $2M Heuristics that Affect Decisions If you want your boss to approval your $1M security budget. Set of options: $250K, $500K, $1M $500, $1M, $2M You have better chance of getting the second set of options Rule : avoid extremes Summary People are not adept at making rational security trade-off. Security costs: money time capabilities freedom Questions & Discussion Thank you for your attention