Given that it is nearing the end of the year, I was going to proclaim 2008 the year of cognitive dissonance in security. However, in doing some basic research, I found this blog posting on Computerworld that suggests someone beat me to it:
A whopping 90% of respondents believed they were somewhat (46%) or very
(44%) secure when cruising the Internet. [David] Perry [of Trend Micro] is shocked by their
confidence because "the Internet is becoming less secure." He cites
numerous statistics about botnet growth and Web-page infection rates to
prove his point. He describes the problem as cognitive dissonance among end users…
It happens, however, that my assessment is that the security professionals are the ones with cognitive dissonance, not end users or enterprise users.
Cognitive dissonance is essentially a conflict between two thoughts or thoughts and contrary evidence, so, for example, cults that have a doomsday deadline are even more adamant they were right after the deadline passes and the world lives on. In security, it may be cognitive dissonance to believe that vulnerability discovery and disclosure reduces risk given the extraordinary evidence to the contrary.
The main circumstances that I believe are due to cognitive dissonance of security professionals are that we constantly say security is failing in the face of increased spending on IT in general. Even worse, the next cliche out of our mouths tends to be "you have to speak and act like the business" which is in direct conflict.
In any case, I believe I can make a better case that it is security professionals demonstrating cognitive dissonance rather than computer users. Does anyone want to provide any evidence to the contrary?
(Incidentally, cognitive dissonance is one of ten "piercing insights" into human nature, as identified by PsyBlog.)