One of the biggest problems that I face in my day-to-day job is convincing people that Information Security is even a problem that applies to them. Their lack of awareness means that they don’t even realize they have a problem in many cases. Most (but not all) of us agree that this is where security awareness and user education efforts come into play. While I tend to agree that generic awareness training doesn’t do much good, it’s important to understand why we need to keep the effort.

One word: Utility.

As Peter Bernstein states on page 105 of Against The Gods: The remarkable story of risk, Daniel Bernoulli nailed this one almost three hundred years ago:

“[The] utility resulting from any small increase in wealth will be inversely proportionate to the quantity of goods previously posessed.”

In the case of Security, this means that if someone thinks they have good security, they won’t see much benefit from an increase in protections and will thus be uninterested (or even resistant) to increases in security which have even moderate cost. But if that same person believes they have poor security, then they will perceive great benefit from even a moderate increase in protection and be more willing to invest their resources in efforts which might improve it.

The most dramatic example of this fact comes, I think, from the physical security world. Look at the massive funding and egregious abrogations of Constitutional rights that suddenly became acceptable after the 9/11 attacks.

Nothing had actually changed except that people suddenly felt that they had very little security “wealth” and, as a result, perceived much greater utility from security measures. This applied both to effective measures such as armoring airplane cockpit doors and to those which were either ineffective (such as checking ID’s to go anywhere any more) or had an extremely high cost (such as gross violations of civil liberties).

In the Network Security world, this usually manifests itself as the sudden appearance of funding for some countermeasure that was “too expensive” prior to The Incident.

Be forewarned, though, that this can cut both ways. As Bernstein notes a few pages later,

According to Bernoulli, our decisions have a predictable and systematic structure. In a rational world, we would all rather be rich than poor, but the intensity of the desire to become richer is tempered by how rich we already are. Many years ao, one of my investment counsel clients shook his finger at me during our first meeting and warned me: “Remember this, young man, you don’t have to make me rich. I am rich already!”
This logical consequence of Bernoulli’s insight leads to a new and powerful intuition about taking risk. If the satisfaction to be derived from each successive increase in wealth is smaller than the satisfaction derived from the previous increase in wealth, then the disutility caused by a loss will always exceed the positive utility provided by a gain of equal size. That was my client’s message to me.

Thus, if you actually succeed in getting someone to realize that they are security-poor, that person is probably not going to be happy and you’re probably going to be the first one they look at for an explanation of where all their security “wealth” went.

So be sure of two things before you begin. First, that you’ve got a plan to recreate some of that lost wealth. Second, be sure that what you’re proposing is actually going to improve the situation. It’s been a long time since I mentioned it, but this would be a good time to go back to the basics of evaluating security projects.

[…] The Finns obviously understand Utility in a way that Americans, who all slept through economics based on my personal observations, do not. […]