An innocent twitter exchange with Pete Lindstrom earlier today about security perception versus real security made me see a very interesting aspect I haven’t noticed previously: the perception of security (or insecurity) can actually affect real security!
I believe it’s a well known truth that the perception of security for something can be different than the actual security; we were talking about iOS devices security. A lot of people see iPhones as “unbreakable” (although it’s not an Oracle product :-P), but the recent discovered issues (gotofail, touch snooping vulnerability) show that’s not really the truth. In the same way, it’s pretty common to see people considering Android devices the closest thing to swiss cheese, when in fact most of the malware and attacks for that platform rely on rooted devices or installing apps from unknown/untrusted sources. I still believe Apple is in a better position as it has a tighter control over what can run on iOS devices than Google (or device manufacturers) for Android, but I don’t see the difference as big as the general industry perception. It’s a very similar discussion to the OS wars between Windows and Linux from a few years ago.
What made the exchange interesting was that we realized there is feedback link between security perception and actual security. The notion that a platform is more vulnerable or less secure will make threat agents target that platform, raising the threat level and consequently the risk for that platform. The opposite is also true; being perceived as a secure platform actually makes it more secure (in the sense of lower risk)!
I think that it also explains why we don’t see Mac malware numbers increasing at the same rate as their market share; it will certainly increase as it has became a more attractive target, but the perception of OS X being a more secure platform (doesn’t matter if it’s true or not) discourages malware creators to focus on that platform. Mainframes are another great example of how perception keeps threat levels low.
Another interesting question derived from this notion: does security 'advertising' and PR stunts reduce risk by reducing threat agents motivation levels?