Security is both a feeling and a reality, and the two are different things. People can feel secure when they’re actually not, and they can be secure even when they believe otherwise.
I’d go further and say that there are multiple realities in security, and this is something that often trips up security experts.
You see this all the time in the physical world. Fox News presents a different reality to its viewers—this is something that both its supporters and detractors agree upon. More topically, doomsday preppers seem to be living in a different reality from the rest of us, a reality in which the apocalypse is just around the corner.
Security experts also live in their own reality where they are constantly thinking about vulnerabilities, exploits, and scams. Many of their friends are also security experts and they compete on finding security flaws. They attend security conferences where it is a bad idea to let your guard down.
When all of your neighbors have guns, it can make sense for you to arm up, and when all of your acquaintances are security experts and “hackers”, no security measures are paranoid—they really are out to get you.
It’s a problem when security researchers try to impose their reality on the rest of the world. What should you do when you find a security vulnerability in someone’s web site or product? I don’t have the answer, but I think it makes sense to first figure out whether the vulnerable party lives in the same reality that you do. Otherwise you might get a visit from the FBI.
Security is important, but to most people, security is not the most important thing in the world.