Most of the time, when the perception of security doesn't match the reality of security, it's because the perception of the risk doesn't match the reality of the risk. We worry about the wrong things: paying too much attention to minor risks and not enough attention to major ones. We don't correctly assess the magnitude of different risks. A lot of this can be chalked up to bad information or bad mathematics, but there are some general pathologies that come up over and over again.
Most people are more afraid of risks that are new than those they've lived with for a while. In the summer of 1999, New Yorkers were extremely afraid of West Nile virus, a mosquito-borne infection that had never been seen in the US. By the summer of 2001, though the virus continued to show up and make a few people sick, the fear had abated. The risk was still there, but New Yorkers had lived with it for a while. Their familiarity with it helped them see it differently.
People are less afraid of risks that are natural than those that are human-made. Many people are more afraid of radiation from nuclear waste, or cellphones, than they are of radiation from the sun, a far greater risk.
There is less fear around risks people choose to take than of a risk imposed on them. Smokers are less afraid of smoking than they are of asbestos and other indoor air pollution in their workplace, which is something over which they have little choice.
Most people are less afraid of risks if the risk also confers some benefits they want. People risk injury or death in an earthquake by living in San Francisco or Los Angeles because they like those areas, or they can find work there.
We are much more afraid of risks when uncertainty is high and less afraid when we know more.
Bruce Schneier is a founder and the CTO of BT Counterpane Internet Security
In general, people are more afraid of risks that can kill them in particularly awful ways, like being eaten by a shark, than they are of the risk of dying in less awful ways, like heart disease - the leading killer in America.
People are generally less afraid of a risk they feel they have some control over, like driving, and more afraid of a risk they don't control, like flying, or sitting in the passenger seat while somebody else drives.
Most of us are less afraid of risks that come from places, people, corporations, or governments they trust, and more afraid if the risk comes from a source they don't trust. Imagine being offered two glasses of clear liquid. You have to drink one. One comes from Oprah Winfrey. The other comes from a chemical company. Most people would choose Oprah's, even though they have no facts at all about what's in either glass.
We are more afraid of risks that we are more aware of and less afraid of risks that we are less aware of. In the fall of 2001, awareness of terrorism was so high that fear was rampant, while fear of street crime and global climate change and other risks was low, not because those risks were gone, but because awareness was down.
We are much more afraid of risks when uncertainty is high and less afraid when we know more, which explains why we meet many new technologies with high initial concern.
Adults are much more afraid of risks to their children than risks to themselves. Most people are more afraid of asbestos in their kids' school than asbestos in their own workplace.
You will generally be more afraid of a risk that could directly affect you than a risk that threatens others. US citizens were less afraid of terrorism before 11 September 2001, because up till then the Americans who had been the targets of terrorist attacks were almost always overseas. But suddenly on 11 September, the risk became personal. When that happens, fear goes up, even though the statistical reality of the risk may still be very low.
When you look over the list in the table, the most remarkable thing is how reasonable so many of them seem. This makes sense for two reasons. One, our perceptions of risk are deeply ingrained in our brains, the result of millions of years of evolution. And two, our perceptions of risk are generally pretty good, and are what have kept us alive and reproducing during those millions of years of evolution.
When they fail today, it's because of new situations that have occurred at a faster rate than evolution: situations that exist in the world of 2006 but not the world of 100 000 BC.
To understand all of this, we first need to understand the brain. Catch my next Industry Insight to see what security issues should really be on our minds.
Share