David Wessel of the Wall Street Journal writes tomorrow (today ) about risk. He points out the challenges of comparing "real risks" with "perceived risks". Obviously, this has a big impact in information security, and is why we generally focus on low impact, frequent events (spam, worms (at least to date)) rather than what I would consider to be more significant aspects of information security – the low frequency, high impact events.
Paul Slovic is quoted. He appears to be the leading authority on the Perception of Risk. His website is here.