As an individual deeply immersed in the online world (read as: geek), I often find myself wondering why we place so much more importance and value on the real world over the virtual world. It’s a concept that I’ve never grasped and I thought I’d look at a few of the incongruities that I see on a regular basis.
I’m going to start with the least security related example but possibly the easiest to relate to as an introduction to this concept. I frequently play the video game EVE Online, an MMO that has survived for 10 years on the premise of “EVE is Real”.
The game developers believe they are creating a world that is “more real” than the world we all live in. The game is a massive sandbox and has more than 500K registered users. This is an incredible feat for any MMO but even more impressive when you consider their long history.
One of the things that makes EVE Online unique is that actions have meaning and the outcome of any action has lasting effect on the game. The easiest example of this is a common phrase in the game… “Oh well, its only pixels…”
This phrase is muttered when a ship is destroyed because unlike other MMOs, the destruction of a ship is permanent and due to the developers method of converting real world money to in-game currency, everything has a value. So, you can easily assign a dollar value to the loss but, because it happened in the game, very few people seem to care long term.
Another, more security related topic, is even more personal to me. Recently, at a family reunion, I spent some time teaching the teens in the family how to pick simple locks and open handcuffs without a key. These are activities that you commonly see performed at computer security conferences because physical and cyber security are so intertwined.
The lessons definitely elicited more than a few concerned looks and questions of “Why?” but it really made me wonder. If I’d spent a couple of hours with a computer, would there have been equal levels of concern? I’m assuming there wouldn’t have been because while people see lock picking as a crime, most people see the same activity on a computer as “playing with the computer”.
By now, I’m sure you’re starting to wonder if I have a point… and I promise that I do. The point is fairly simple… there’s a huge disconnect between the trust that people place in computers and the trust that they are willing to give in the “real world”.
A great example of this happened just the other night. I’m currently traveling for work and, without my gaming computer, certain elements of the video game I play will stop (it requires regular updates). It was suggested that I simply provide my password to someone else and have them log in to update my account.
Let’s forget that the Terms of Service for the game forbid that activity for a second… we’re talking about a username and password. They likely have identifying information, tied to other accounts, or are simply reused elsewhere. The fact that the suggestion was so casual truly scared me. Next, they might ask me to let them hold onto my credit card.
People know friends’ email, Facebook, Twitter, and LinkedIn passwords. They share banking, utilities, and cell phone account password. They’d never hand over their credit card number or their bankcard and pin but those things are real and, in their eyes, have value.
So in the end, we need to figure out a way to demonstrate the value of the online world. If people can’t see value when it is tangible (my first example), then how will they see intangible value? If people are afraid of physical security, why aren’t they afraid of cyber security?
In the end I don’t have a solution… so hopefully you weren’t looking for one here. Rather I have a question…
We (the security community) have put a lot of time into socializing security research with vendors and building the community. How do we socialize risk with individuals? I don’t have an answer yet, but I sure would like to come up with one.
- Security is a Process, Not a Destination: Have You Given It Your All?
- Overusing the Term Hacking Impacts Security Awareness
- Give Me the Finger – Biometrics, That Is…
- Startup Security: Minimum Viable Product Shouldn’t Mean Minimum Security
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock