Perception of risk
People make subjective judgements about risk â balancing various aspects such as likelihood and severity. The term Risk Perception is used to describe such judgements and is often applied to diverse matters including environmental protection and financial management as well as information security. Several theories have been proposed to explain why different people make different estimates of the potential harm of risks manifesting. Studies into risk perception have involved various disciplines such as psychology, anthropology and sociology. What has emerged from this work is one factor â most people react to risk in an emotional manner â often through such behavioural facets such as Confirmation Bias. This reaction often comes as a surprise to people who are aware of the fundamental statistics relating to risk.
Sarah Hogg, the once chairperson of Frontier Economics and journalist, published an article in the Independent newspaper discussing problems occurring in the UK rail network after a major rail crash in Hatfield in 2000:
On my way to a train that runs at less than half the speed it did a few weeks ago, I drive past a sign telling me that 61 people have died on Lincolnshireâs roads this year so far. Some 449 have been seriously injured. Thus, in our part of the world, are the police illustrating a truth ignored in the aftermath of the Hatfield crash? Cars kill more people than trainsâŚ
Four people died in the Hatfield crash, and the entire UK rail network was subject to stringent safety restrictions. Yet because we perceive train-based risk in a way that is different from road (car)-based risk, we spend somewhere in the region of 150 times more on train safety than car safety per life lost.
There are other examples of the effect of risk perception. In healthcare, a great deal of money is spent on treating diseases like cancer. This is undoubtedly the right thing to do, but more lives would be saved if appropriate resources were spent on controlling post-operative infections and the spread of infective agents such as Methicillin-resistant Staphylococcus aureus (MRSA) or by combatting the huge impact of recent increases in obesity â as well as associated conditions such as Type 2 Diabetes. These âappropriate resourcesâ would be significantly less than the sums currently allocated to combat certain diseases. The reasons for this disparity relate less to clinical logic than to public relations, culture and risk perception.
In organisations such as state-funded healthcare, local government and other public services, the attitude to risk management is often clouded by a perceived public need for certainty. Nothing is ever 100 per cent, just as no information system is 100 per cent secure. This absolutist attitude makes managing risk in certain sectors more complex than it need be. In politics, risk management is often based more on managing public opinion than on dealing with the reality of the risks faced.
There is an information source in the US called the Vanderbilt Universityâs Television News Index and Abstracts. This was on one occasion used to perform content analysis of news coverage from January 1984 to February 1986. The research looked at over 500 evening news broadcasts, and discovered that some 1.7 per cent of the news time reflected environmental risks. During the same period, 57 stories discussed tobacco, whilst 482 concerned accidents and safety in the airline industry. Based on the number of actual deaths, there should be 26.5 minutes of coverage regarding tobacco for every second of airline accidents. For the most part, the ratio of acute to chronic deaths, in terms of network coverage, runs at about 7 to 1 (see below for more on chronic and acute risks).
Furthermore, it became very apparent that news stories tend to reflect the location of the television network news bureaus rather than the actual impact of the events themselves. In the US example given above, âperipheralâ states such as Alabama and West Virginia received about a third the amount of coverage as California and New York based on the number of incidents. Guess where the news bureaus are located! In 2004, the BBC decided to move much of its operation from London to Manchester in the northwest of England. What is apparent is that when an expert is required for news analysis, they now come from two sources â London or Manchester. The relocation has changed the focus slightly but has made little difference to other areas.
Such disparities are not confined to the location of the news bureau in question. The Global Terrorism Database1 holds records of 741 terrorist attacks in the year 2015. The event that was most heavily and widely reported was the November 13th Paris attacks during which 130 people died and 368 were injured. The day before the Paris event, another terrorist attack took place in Beirut, killing 43 people and injuring 240. Responsibility for both events was claimed by the so-called Islamic State or ISIL. Both events were undertaken using the same techniques and took place in heavily urbanised areas. The Lebanese attacks were virtually unreported by the western media. In November 2015 in The Guardian newspaper, Kenan Malik stated:
There have been many voices complaining that the Paris attacks have received more global attention than similar attacks in Lebanon and Iraq, and that the global news agenda is more sensitive about the loss of white western lives than others.
News is created and consumed through a perceptual lens. This lens differs from place to place and culture to culture. Our own personal perceptual lens tends to make us use the information we receive in a way that is not always aligned with a broader context. This applies as must to risk perception as to any other type.
John Allen Paulos, Professor of Mathematics at Temple University in Philadelphia, describes the ongoing public lack of understanding of numbers and risk in his seminal work Innumeracy â Mathematical Illiteracy and Its Consequences. Amongst the many issues he debates, he outlines how people âpersonaliseâ events, forgetting that sometimes bad things just occur, that events do not run in threes and that the adage âshit happensâ is true. The link between innumeracy and âpseudoscienceâ is one of Allenâs strongest themes. If we actually thought about things rationally, stock market scams, pyramid selling and fortune tellers would become a thing of the past. If we actually thought about things rationally, risk perception would be less of a problem.
A strong factor in risk perception relates to control. Risk perception is more than statistics. If a threat is external and âexoticâ (that is, unfamiliar and perhaps strange), and if the person perceiving the risk feels they are not in control of a situation, the perception of risk is higher. For example, if you were to attend a late-night party some way distant from your home, and then decide you want to leave, most people (providing they havenât been drinking) would think driving home to be safer than walking across town late at night. Fear of mugging and assault drives many people (particularly women) into their cars. The truth is that driving a car, at any time, is about the most dangerous thing an adult can do in the UK. The fact that mugging is an external threat makes it more threatening.
Table 1.1 shows how some perception can distort risk.2
Table 1.1 Risk perception | Less risky | More risky |
| Chronic | Acute |
| Controllable | Uncontrollable |
| Controlled by self | Controlled by others |
| Detectable | Undetectable |
| Diffuse in time and space | Focused in time and space |
| Fair | Unfair |
| Familiar | Unfamiliar |
| Immediate | Delayed |
| Natural | Artificial |
| Voluntary | Involuntary |
Chronic â acute
If a medical condition is chronic (that is, a condition that has built up over time, such as heart disease or Type 2 Diabetes), it is less dramatic and is not perceived in the same way as an acute condition (a condition that is sudden, such as infection by the Ebola virus or a car crash). If all the 10,000 people who die prematurely each year in the UK from smoking-related illnesses were to do so at one oâclock in the afternoon on 10 February in Parliament Square, the reaction would be very much more negative, and rapid remedial action would follow. The fact that most smoking-related deaths are attributable to chronic conditions, and that each death tends to be diffuse in time and space, lessens their impact. Each death is a tragedy but doesnât get a mention in the media other than when the victim is famous.
The major medical killers are chronic. Acute deaths get the headlines.
In information security, chronic issues normally relate to structural and infrastructural vulnerabilities, such as poor system design, inadequate procedures (such as poor system patching or untimely anti-malware software updates) or badly trained staff. These are difficult to deal with for a number of reasons; not least that admitting their existence could suggest someone in the organisation (perhaps the esteemed Head of IT) is to blame. Never underestimate the power of personal embarrassment!
The issues of chronic and acute conditions can be applied to information security quite readily. People tend to focus on acute issues (especially if they are perceived as being âexternalâ, âalienâ or âcontrolled by othersâ). Such issues include malware infection, hacking and industrial espionage. A specific example of chronic risk is the degree of trust many companies place on individuals who have developed systems from scratch.
I have seen many examples of people who have acted as designer, programmer, operator and maintainer of a business-critical application. In no instance had the person provided any meaningful documentation. The organisations had exposed themselves to considerable risk. Should the person leave, go sick or die, the business-critical application would be without support and could fail catastrophically. Furthermore, the person who developed and maintained the application was in a position to defraud the company by a number of means. These ranged from straightforward embezzlement to blackmail. The risk this person represented was chronic rather than acute. In many instances, the organisations decided to ignore the risk on the grounds that they did not want to offend the person involved. The acceptance of such profound risk would not be countenanced if the risk had been perceived as external to the organisation. This risk is often exposed when part of an organisation is outsourced â so often the incumbent experts decide to leave rather than move over to a new service supplier â leaving massive skill and knowledge gaps, limited documentation and no support!
Moral outrage
One of the most public illustrations of how risk is perceived and reacted to is called âmoral outrageâ by sociologists and psychologists. This syndrome is well understood by the UK newspaper industry â some newspapers are keen to develop such outrage â normally to score political points or increase their circulation. They focus mostly on health issues, such as bovine spongiform encephalopathy (BSE) and the Mumps, Measles and Rubella (MMR) triple vaccine.
The example of the MMR vaccine is particularly poignant. In 1998, a report was published in the UK3 authored by Andrew Wakefield and 12 others, which suggested a link between the MMR jab and autism in young children. The research was based around findings of various antibodies in the internal organs of autistic children. The report unleashed a plethora of stories (many heartbreaking) of children becoming autistic after having the vaccine. The result of the fallout from the original report was a significant fall in the numbers of children being vaccinated. This pattern has remained, despite numerous later reports totally refuting the original research, although it should be noted that i...
