You may well wonder what the two items in the title of this post have to do with each other. Computer Security is of course the practices and tools that go into having a secure computing experience while anti-lock brakes are a safety feature on most modern cars.
When anti-lock brakes were introduced, they were hailed as a life-saving technology that was sure to reduce the number of accidents on the road and result in less injuries and cost savings for everybody. However, the real-world results never matched these expectations. When drivers learned about and began using anti-lock braking systems, they started driving faster, following closer and braking later. All of these factors effectively cancelled out the predicted benefit of introducing them in the first place.
A number of studies have concluded that Risk Compensation is the reason for this result:"an effect whereby individual people may tend to adjust their behavior in response to perceived changes in risk".
So, what's really happening here? People go about their lives behaving in ways based on the perceived risks of their activity. If they think they might get hit by a car when crossing a street (the risks are higher) they will look both ways before crossing. If they think they might have less odds of getting into an accident because their car has anti-lock brakes (the risks are lower) then they will drive more aggressively.
The effect is even more pronounced in professional sports. The National Football League (NFL) is experiencing more significant injuries while at the same time deploying safer equipment and changing rules in the name of safety. Players are responding to the perceived decrease in risks by playing the game more aggressively.
Putting Safety Pads on Your Computer
I believe Computer Security for consumers also suffers from the Risk Compensation effect, especially when it comes to firewalls and anti-virus software.
Firewalls and anti-virus software are staples of your average consumer computing experience. Most consumers don't really understand what these tools are or how they work, but they are told that if they use them and keep them up to date, they will be safe. Consumers are rarely educated about the basics of computer security technology. It would be charitable to say this is an oversight of an industry that wants to provide a safe and turn-key experience to its consumers. The more cynical reader is probably already thinking the more likely explanation; the technology industry doesn't think users can or will ever be able to understand these issues.
The problem is that firewalls and anti-virus software are not nearly as effective as our industry has led consumers to believe. Combine this situation with Risk Compensation and we have an impending disaster on our hands. Consumers who are not educated on the basics of computer security are taking significant risks based on a false perception that firewall and anti-virus software will keep them safe.
The analogy with anti-lock brakes is a useful one in more ways than one. Clearly the automotive industry and our society is doing something right concerning automobiles or we would have an epidemic of automotive accidents. I think the key is two-fold: 1) a sense of responsibility and 2) education.
Unlike when your average consumer buys a computer, a new driver must go through drivers education and pass a written exam. Vehicles come with manuals that have all of the basic operational details spelled out including all safety procedures. At the same time, we have laws and regulations that hold a driver responsible for the operation of their vehicle.
The result is a driving experience that we as a society are relatively happy with.
Putting on the Brakes
In comparison, when a consumer buys a computer, they rush home to unpack it, watch a quick introductory video on how to attach it to the Internet, install anti-virus and firewall software and then start surfing. No computer security information is taught and no sense of responsibility is imparted for how the computer is operated.
I want to make sure readers don't think I'm suggesting that we require a computer security version of drivers ed and a license to operate a computer nor that we need to pass new laws making users responsible for the actions taken by their compromised computers.
What I am advocating is that we start educating users about computer security. If they can learn important and complicated information regarding the safe operation of a car, they can surely learn material presented at the same level about computer security. I'm also advocating that we stop pretending that anti-virus and firewall software are going to protect consumers from all of the ills on the Internet.
People need to understand what level of real protection these tools are providing – and what risks they are still exposed to – so that they can become a constructive and active participant in improving computer security for everybody.