Wednesday, October 24, 2007

Risk assessment and the human mind

Bruce Schneier, a computer security consultant, finds that people do a poor job of assessing computer security risks. Rather than blaming the problem on poor training that computer users received from computer consultants, he blames it on human nature. He writes:
  • People exaggerate spectacular but rare risks and downplay common risks. They worry more about earthquakes than they do about slipping on the bathroom floor, even though the latter kills far more people than the former. ....
  • People have trouble estimating risks for anything not exactly like their normal situation. Americans worry more about the risk of mugging in a foreign city, no matter how much safer it might be than where they live back home. ....
  • Personified risks are perceived to be greater than anonymous risks. Joseph Stalin said, “A single death is a tragedy, a million deaths is a statistic.” ....
  • People underestimate risks they willingly take and overestimate risks in situations they can’t control. When people voluntarily take a risk, they tend to underestimate it. When they have no choice but to take the risk, they tend to overestimate it. Terrorists are scary because they attack arbitrarily, and from nowhere. Commercial airplanes are perceived as riskier than automobiles, because the controls are in someone else’s hands -- even though they’re much safer per passenger mile. ....
  • Last, people overestimate risks that are being talked about and remain an object of public scrutiny. News, by definition, is about anomalies. Endless numbers of automobile crashes hardly make news like one airplane crash does. The West Nile virus outbreak in 2002 killed very few people, but it worried many more because it was in the news day after day.
He has some valid points. I think that he misses a subtlety on personified threats: Conservatives tend to focus on personified threats (Hitler, Stalin, bin Laden, Pol Pot) which liberals tend to minimize. On the other hand, liberals focus on unseen/anonymous threats (global warming, the coming ice age, acid rain) of which conservatives tend to be skeptical.

On some points, he appears to miss the boat. For example, he writes:

The final death toll from 9/11 was less than half of the initial estimates, but that didn’t make people feel less at risk.
The reason to take the terrorist threat seriously is not the death toll of 9-11. Rather, it is the possibility that similarly determined terrorists may sneak a nuclear bomb across our borders.

No comments:

Clicky Web Analytics