Friday, September 19, 2008

Why security and privacy decisions are hard to make

I am trying to find a way for making security decisions. And by security decisions I mean decisions that involve trade-offs. We “always” trade something for security. We give up a little bit of privacy for more security, or a little bit of convenience. But the question is how we decide to give that a little bit?

Consider this situation: Your school decides to install surveillance camera in the hall ways to control the thefts. I kind of do not like it, because “They” can see me whenever I am going to washroom or going to talk on my cell phone. You are Ok with it, and ask why someone might think it is a problem that “They” know I am going to washroom. Well, because it is an individual thing: privacy has different aspects and levels. But it is very personal. Any ways, they install the cameras, because not many people object. Then, a month later they announce, but we need to install the cameras inside the classrooms and grad student offices, because we can see the thieves picking the valuable stuff and jump to arrest them, and also thieves know we have the cameras, and they won’t dare to try to steal things. Now, more people may object the privacy violation, but not all of the people. In the extreme situation, they may decide to install cameras even in washrooms. Probably, all people object that it is so against privacy and morality and blah.

Obviously, privacy is a personal matter, and so security. The level that I feel I am secure and private is completely different by others. It is true that in the extremes we are all common in objections, but we do not live in the extreme world. So, I ask my question again: how we can decide to install the cameras (or apply a security solution), considering the privacy violation, costs, increase in the level of security, usability of that technology or tool, … ?

And it is a hard problem.

First of all, if “They” decide only based on the cost and level of security, they might end of installing it every where, if they believe the cost of cameras are less than the cost of thefts. Therefore, security decisions need considering opinion of multiple individuals that benefit from the system.

Secondly, many factors need to considered. But these factors (that are coming from multiple individuals) are hard to measure. Can you suggest a way for measuring the level of privacy violation by installing surveillance cameras inside washrooms? We are faced with many qualities that are inherently qualitative and subjective. A major portion of research needs to be dedicated to find ways to quantify them. (If I am using a correct term: quantifize) Although there have always been a war between qualitative and quantitative reasoning, and people hiding behind numbers believe reasoning is solely limited to working with exact numbers, currently the only way to solve security decision making to me seems qualitative reasoning.

Third, security and risk analysis needs looking at psychology of fear, feeling secure and safe, and psychology of risk tolerance. As human, we do very fast and interesting qualitative risk analysis that is kind of beyond the numbers and math, which in field of economics is called “Prospect Theory”. I am going to read and report back here about all these stuff in coming days.

1 comment:

Jon said...

Hi Golnaz,

I'm keen to hear where you go with this.

I think the word you're looking for here is: quantify.

Oh, and just one question: you say first that "A major portion of research needs to be dedicated to find ways to [quantify the level of privacy violation]" but then say "the only way to solve security decision making to me seems qualitative reasoning." I'm assuming you meant to say "quantitative" here, no?

I'm starting to read some of your early posts now and I'm really enjoying them. I'll try to post comments.