When chatting with a friend about risk management via IRC recently, he referred me to the essay The Psychology of Security.
This is quite a good paper discussing how poor humans are at understanding and assessing risks and their impact on security.
Most of the time, when the perception of security doesn't match the reality of security, it's because the perception of the risk doesn't match the reality of the risk. We worry about the wrong things: paying too much attention to minor risks and not enough attention to major ones. We don't correctly assess the magnitude of different risks.
Gain versus loss
One area it explores is how most people are more worried about the risk of a potential loss than inspired by a potential gain - even when the probability is the same.
When the same risk is presented in two different ways, as the probability of a gain or as the probability of a loss, people respond differently, as illustrated in this example from the essay,
In this experiment, subjects were asked to imagine a disease outbreak that is expected to kill 600 people, and then to choose between two alternative treatment programs. Then, the subjects were divided into two groups. One group was asked to choose between these two programs for the 600 people:In this experiment A = C and B = D, so logically both groups of subjects should choose the same option.
- Program A: "200 people will be saved."
- Program B: "There is a one-third probability that 600 people will be saved, and a two-thirds probability that no people will be saved."
The second group of subjects were asked to choose between these two programs:
- Program C: "400 people will die."
- Program D: "There is a one-third probability that nobody will die, and a two-thirds probability that 600 people will die."
Yet most people (72%) choose A over B, and most people (78%) choose D over C. People make very different trade-offs if something is presented as a gain than if something is presented as a loss.A familiar or known risk is underrated
Another area discussed was how people tended to worry less about the familiar than they did about the unfamiliar and have difficulty assessing risks outside their experience. To quote from the essay,
- People exaggerate spectacular but rare risks and downplay common risks.
- People have trouble estimating risks for anything not exactly like their normal situation.
- Personified risks are perceived to be greater than anonymous risks.
- People underestimate risks they willingly take and overestimate risks in situations they can't control.
- Last, people overestimate risks that are being talked about and remain an object of public scrutiny.
What does this mean for assessing online channel risks?
The internet is still very young and poorly understood by many organisations.
The risks are unfamiliar and outside the experience of many people.
While there are many possible gains through using the online channel, there is also the risk of loss. Potentially the loss of reputation and the opportunity cost of funneling resources to online initiatives that fail.
Based on how humans commonly assess risks the combination of an unfamiliar environment and the potential downside can lead to many online risks being overexaggerated, whereas risks for a more familiar channel would be understated.
For example, consider the alternatives of having a minister or senior public servant engage in a scheduled online chat versus participating in a radio talkback session.
For the talkback the risks would often be considered minimal - it's a well-known environment, and while there are risks of awkward questions from the host or callers, these are accepted as part of the background of the medium and processes on how to manage them are well understood.
For the online chat the risk of unmoderated chatters could be a major concern - even though mechanisms for handling this exist, such that questions can be screened even more effectively than on radio.
There could also be risks raised around hacking, which can also be thoroughly mitigated. For the radio talkback the risk of someone blocking the radio signal or sabotaging the power supply to the transmitter would not even register.
Finally, there could be concerns raised around the ability of the minister/public servant to communicate clearly and effectively via the chat tool. This can also be managed - some answers can be pre-prepared, or a typist could be on hand to type the responses as they are needed.
On talkback radio a similar concern would be raised - and managed through media training.
There are many other examples I've witnessed and heard about where online channel risks were exaggerated alongside the risks of other channels.
How to ensure that online risks are assessed accurately
This is the billion dollar question - determining a process that allows risks related to the online channel to be accurately weighed and considered alongside risks for other channels.
My feeling is that the only effective solutions are education, process change and time.
Of these the first can be directly influenced. Those managing their organisation's online channel or web-based services need to be actively educating others across their organisations on the benefits and issues with online. This raises familiarity and understanding, therefore helping other normalise the internet in their worldview and thereby begin treating online risks in a similar way to those for other channels.
Process change involves modifying the processes around risk identification and rating in order to rebalance the consideration. This can be influenced by education, however generally requires profound changes to organisational risk frameworks, corporate guidelines and policies. High level support is necessary to move this along.
The final solution, time, can be influenced by education, but only to a degree. At the end of the day it may simply require another 20-30 years for organisations to undergo the changes required to understand and integrate online risks accurately into an overall risk framework.
How does your organisation weigh online risks?
I'm interested in how other organisations weigh online risks - whether the risk of change
or the risk of not changing.
What's been your experience of how organisations compare online risks versus others?