State of CyberSecurity : 2020 perspective

In information security, organizations may both feel secure when they are not, and insecure when they are actually secure given that this function is both normative and descriptive. As Schneier states, security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should.