The Perception of Risk

"Risk" is a strange beast. It has lots of uses and connotations that make it a fairly ambiguous concept. It is often used in different ways. Paul Slovic lays out a handful of these uses in his 2002 paper, The Perception of Risk Posed by Extreme Events:

  • Risk as a hazard
  • Risk as a probability
  • Risk as consequence
  • Risk as potential adversity or threat

There is a new book out by Richard Posner called "Catastrophe: Risk and Response" that is reviewed in Slate here. One of the things the reviewer, Jeffrey Rosen says really hit home with me:

"…which is why the government correctly abandoned Total Information Awareness and replaced it with a system designed to verify a traveler’s identity rather than model suspicious behavior. "

This is one of the Big Issues associated with security – deciding between a trust-based model (verifying identity) versus a threat-based model (modeling suspicious behavior). We see it in information security as the difference between encryption and intrusion detection. It is perhaps even more apparent with anti-spam techniques as they shift from detection to validating mail servers (Sender ID).

The challenge is that neither of these approaches is foolproof. We feel perfectly righteous in simultaneously laughing at attempts by the TSA to identify suspicious behavior (and "suspected terrorists") and crying fowl about their attempts to pursue stronger identification. In other words, we want to have our cake and eat it, too.

What we should really be striving for is the optimal combination of the two that sufficiently reduces our risk. Of course, that would be great if we were calculating our risk and performing the cost/benefit analysis required, but we don’t. Instead we rely on perception. Which gets us back to my initial comment about risk.

Mr. Rosen put it very clearly in his review (though he wasn’t talking about information security risk, per se):

"But the greatest challenges that menace us cannot be precisely quantified by science; they are psychological and political." 

We have our work cut out for us.