When I found this talk by Bruce Schneier, I was instantly interested and expected something technical. Turns out my expectation was wrong, the talk was still very insightful nevertheless.

Schneier talks about security on a very high level. In fact, I'd rather say that it's a good talk on mental models and the human mind in general, with security as an example.

To quote from a transcript I found online (formatting by me),

Now there are several biases in risk perception. A lot of good experiments in this. And you can see certain biases that come up again and again. So I'll give you four.

1. We tend to exaggerate spectacular and rare risks and downplay common risks -- so flying versus driving.
2. The unknown is perceived to be riskier than the familiar. One example would be, people fear kidnapping by strangers, when the data supports kidnapping by relatives is much more common. This is for children.
3. Third, personified risks are perceived to be greater than anonymous risks -- so Bin Laden is scarier because he has a name.
4. And the fourth is people underestimate risks in situations they do control and overestimate them in situations they don't control.

This seems to make sense, I found these patterns to exist widely. But he goes on:

And there's another cognitive bias I'll call confirmation bias, where we tend to accept data that confirms our beliefs and reject data that contradicts our beliefs. So evidence against our model, we're likely to ignore, even if it's compelling. It has to get very compelling before we'll pay attention.

This one is really important. Again, it's a pattern that I've noticed often, unfortunately even in my own thoughts.

Again, questions are raised: Is that what we perceive reality? And are we rational beings?

I don't think so. To quote Heinlein:

Man is not a rational animal, he is a rationalizing animal.