Sunday, January 10, 2016

What the lottery and security have in common

If you live in the US you can't escape the news about the Powerball lottery. The jackpot has grown to $1.3 Billion (with a capital B). Everyone is buying tickets and talking about what they'll do when they win enough money to ruin their life.

This made me realize the unfortunate truth about security we like to ignore. Humans are bad at reality. Here is how most of my conversations go.

"You won't win. The odds are zero percent"
"I might! You don't know!"

I'm of course labeled as being some sort of party pooper because I'm not creating stories about how I will burn through hundreds of millions of dollars in a few short weeks.

What does this have to do with security? It's because people are bad at reality. Let's find out why.

Firstly, remember that as a species evolution has built us to survive on the African Savannah. We are good at looking for horrible beasts in the grass, and begin able to quickly notice other humans (even if they appear in toast). We are bad at things like math and science because math rarely hides in the grass and eats people. The vast majority of people live their lives unaware of this as a problem. What we call "intuition" is simply "don't get eaten by things with big teeth".

Keeping this in mind, let's use the context of the lottery. The odds are basically zero percent once you take the margin of error into account. We don't care though, we want to believe that there's a chance to win. Our brain says "anything is possible" then marketing helps back that up. Almost nobody knows how bad their odds really are and since you see a winner on TV every now and then, you know it's possible, you could be next! The lottery ticket is our magic gateway to fixing all our problems.

Now switch to security. People are bad at understanding the problems. They don't grasp any of the math involved with risk, they want to do something or buy something that is the equivalent of a lottery ticket. They want a magic ticket that will solve all their problems. There are people selling these tickets. The tickets of course don't work.

How we fix this if the question. Modern medicine is a nice example. Long ago it was all magic (literally). Then by creating the scientific method and properly training doctors things got better. People stopped listening to the magicians (well, most people) and now they listen to doctors who use science to make things better. There is still plenty of quack medicine though, we want to believe in the magic cures. In general most of humanity goes to doctors when they're sick though.

Today all security is magic. We need to find a way to create security science so methods and ideas can be taught.

Between thinking about how to best blow my lottery winnings, I'll probably find some time to think about what security science looks like. Once I win though you'll all be on your own. You've been warned!

Join the conversation, hit me up on twitter, I'm @joshbressers