Assessing personal risk
I haven't seen this talked about, although there have been a few blog comments. A Sep 24 article in
*The Washington Post* summarizes research done by Dr. Jennifer Lerner at Carnegie Mellon on
individual perceptions of risk. Not surprisingly to readers of RISKS, people dramatically misjudge risk
- but what was surprising to me is how they did it in contradictory ways. WashPost says "Lerner
found that anger and fear systematically bias people's risk estimates in opposite directions. Anger
causes people to underestimate risks, which may be why drivers in the grip of road rage confidently
attempt perilous maneuvers that place themselves and others in danger. By contrast, people who are
afraid overestimate risks."
The *WashPost* article also discusses research by psychologist David Mandel of Defense Research and
Development Canada, noting "While psychology is not much use in predicting the future when it comes
to terrorism, what it can do is highlight errors in thinking. Mandel asked people after the Sept. 11
attacks what they thought the risk of a major terrorist attack would be in the next two months. He then
asked his volunteers to estimate the risk of an attack specifically by al-Qaeda and the risk of an attack
by a completely separate group. Mandel found that when he totaled a person's responses about the
likelihood of each of the subdivided possibilities, their sum was greater than the person's guess about
the overall likelihood of a terrorist attack." Also, people misconstrue their own risk vs. the risk to
others:
"People invariably see themselves as being at lower risk than the average person -- they guessed that
they had a 1-in-5 chance of being hurt but that others had a 1-in-2 chance of being hurt. Obviously,
these statistics cannot be true for everyone."
So to bring this back to RISKS, I wonder how these psychological results apply to technology risks. Do
we underestimate the risk of cyberattacks and take unnecessary risks (e.g., knowingly going to
dangerous web sites, not running the latest security software) because we think we're immune as
security professionals? Or are we overestimating our risk because we're afraid? I don't have any
answers, but the article made me think about risks and RISKS.
http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/AR2007092300915.html
Next
I haven't seen this talked about, although there have been a few blog comments. A Sep 24 article in
*The Washington Post* summarizes research done by Dr. Jennifer Lerner at Carnegie Mellon on
individual perceptions of risk. Not surprisingly to readers of RISKS, people dramatically misjudge risk
- but what was surprising to me is how they did it in contradictory ways. WashPost says "Lerner
found that anger and fear systematically bias people's risk estimates in opposite directions. Anger
causes people to underestimate risks, which may be why drivers in the grip of road rage confidently
attempt perilous maneuvers that place themselves and others in danger. By contrast, people who are
afraid overestimate risks."
The *WashPost* article also discusses research by psychologist David Mandel of Defense Research and
Development Canada, noting "While psychology is not much use in predicting the future when it comes
to terrorism, what it can do is highlight errors in thinking. Mandel asked people after the Sept. 11
attacks what they thought the risk of a major terrorist attack would be in the next two months. He then
asked his volunteers to estimate the risk of an attack specifically by al-Qaeda and the risk of an attack
by a completely separate group. Mandel found that when he totaled a person's responses about the
likelihood of each of the subdivided possibilities, their sum was greater than the person's guess about
the overall likelihood of a terrorist attack." Also, people misconstrue their own risk vs. the risk to
others:
"People invariably see themselves as being at lower risk than the average person -- they guessed that
they had a 1-in-5 chance of being hurt but that others had a 1-in-2 chance of being hurt. Obviously,
these statistics cannot be true for everyone."
So to bring this back to RISKS, I wonder how these psychological results apply to technology risks. Do
we underestimate the risk of cyberattacks and take unnecessary risks (e.g., knowingly going to
dangerous web sites, not running the latest security software) because we think we're immune as
security professionals? Or are we overestimating our risk because we're afraid? I don't have any
answers, but the article made me think about risks and RISKS.
http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/AR2007092300915.html
Next
 | |  | |  | |  |