Nassim Nicholas Taleb on Risk Perception

From his Facebook page:

An illustration of how the news are largely created, bloated and magnified by journalists. I have been in Lebanon for the past 24h, and there were shells falling on a suburb of Beirut. Yet the news did not pass the local *social filter* and did [not] reach me from social sources.... The shelling is the kind of thing that is only discussed in the media because journalists can use it self-servingly to weave a web-worthy attention-grabbing narrative.

It is only through people away from the place discovering it through Google News or something even more stupid, the NYT, that I got the information; these people seemed impelled to inquire about my safety.

What kills people in Lebanon: cigarettes, sugar, coca cola and other chemical monstrosities, iatrogenics, hypochondria, overtreament (Lipitor etc.), refined wheat pita bread, fast cars, lack of exercise, angry husbands (or wives), etc., things that are not interesting enough to make it to Google News.

A Roman citizen 2000 years ago was more calibrated in his risk assessment than an internet user today....

Posted on May 28, 2013 at 12:52 PM • 25 Comments

Comments

withheldMay 28, 2013 1:12 PM

This is exactly my perception of the disparity evident in government spending decisions when it comes to dealing with terrorism versus say, healthcare. The figures speak for themselves about what the most deadly factors are for the populace of a country like the USA or UK, and terrorism is not at the top of the list of what is killing citizens right now.

CarlMay 28, 2013 2:52 PM

> A Roman citizen 2000 years ago was more calibrated in his risk assessment than an internet user today.

Taleb has a history of hyperbole. I would guess that he knows zip about how Roman citizens assessed risk 2000 years ago.

JohnnyMay 28, 2013 3:55 PM

I guess the point is, the average Roman Citizen wouldn't be freaked out so much about a Scottish victory over Romans in Briton as much as we freak out about military engagements nowadays. Maybe.

MaxMay 28, 2013 4:00 PM

I think it is more that, they were aware of the real stuff that threatened them. Like being fed to the lions and tangible threats. But yeah, they wouldn't be afraid of far away people...until they were sacking Rome itself!

SimonMay 28, 2013 4:19 PM

"A Roman citizen 2000 years ago was more calibrated in his risk assessment than an internet user today." That is an extremely subjective statement. How in the world does Taleb or anyone know that?

Taleb gets on my nerves, I read two of his books and learned a lot. But he plain seems cranky. Like he's pissed off at everyone. So here is what he does. Just about the time he reaches third base making an important point he throws in some garbage statement. This is exactly what journalists commonly do. Make a lot of factual statements, then you can slip in just about anything and they'll buy it.

The fact is, Taleb brand is simply contrarian journalism. And there is a huge following of people who with their own twisted confirmation bias, tend to buy anything and everything so long as it is the opposite of what others are saying.

DanielMay 28, 2013 4:53 PM

Here is an important and often looked issue about risk perception: average vs specific risk.

The definition of a "rare disease" is 1 in 200,000 yet America has almost 35 million people with a rare disease which is roughly 1 in 10. So when a person perceives their risk of a rare disease, which risk is it that they are perceiving?

Romans were not better at perceiving risk, simply more ignorant. 2000 years ago the world was characterized by (a) small isolated communities that (b) were not interconnected. So in that case when someone got a rare disease it was easy to see how it could be read as the wrath of God, the doings of Satan, or whatnot because they were seeing the 1 in 200,000 risk. They didn't understand that the real risk was 1 in 10. Generations could go by before a big city of 10,000 people in those days saw a rare disease.

On the other hand, today the world is characterized by (a) large populations that (b) are closely interconnected. As a consequence among the seven billion people on the planet rare diseases are popping up all over the place. So people now evaluate the risk on the 1 in 10 odds.

How one perceives a risk all depends on how one frames the risk. My odds of getting a specific rare disease is 1 in 200,000 (by definition) but my odds of having any rare disease in general is 1 in 10. So at least in the case of rare diseases, Romans couldn't have been any better at perceiving risk because they had no data set to know what the true average was.

Erik GrueterMay 28, 2013 8:38 PM

Great reference to Taleb here!

Would be interested to hear thoughts on how his latest book: Anti Fragile can be applied to security!

Is it possible to build an anti fragile security system? Or is robust the most we can hope for?

GweihirMay 28, 2013 9:39 PM

I am not surprised at all. People have become so distant from reality, that they do not see ordinary risks at all. Maybe a stint of a week or so in an emergency room should be part of mandatory schooling for everybody, so children can learn what actually does kill and maim.

NobodySpecialMay 28, 2013 11:14 PM

The roman politician Cato persuaded the senate start a war with Carthage by holding up some fresh figs he said were from Carthage - proving that the Carthaginians had the ability to launch an attack on Rome within 3days.

At least this was more beleivable that the Iraqi's 45mins

JeffHMay 29, 2013 1:52 AM

@ppz - Not quite. Taleb's argument is that we need systems that aren't merely resilient in face of damage (robustness) but become stronger as a consequence of the damage (anti-fragile is the term he's coined). He actually applies this beyond security, into things like economics.

Contrast a typical security system with the human body's immune system (yes, yes I know, terrible analogies and all that). If the immune system successfully fights off a disease, it is typically much better at fighting that battle a second time. A lot of security systems merely weather attacks or even just slow them down. They rarely (and certainly not automatically) improve as a consequence of the attack, beyond vague cautionary tales of 'don't do this'.

It's at least an interesting idea although efforts at community-driven security systems seem less effective as white blood cells can't en-masse decide to skew the results.

Clive RobinsonMay 29, 2013 5:27 AM

@ JeffH,

Yes the comparison between the immun system and security systems has some distinct problems [1].

However you can take a step backwards to get a more generalized overview of attacks against security systems. That is attacks are both specific in their methods but also fall into general classes of attacks.

Most AV systems and work arounds deal with specifics not classes, so they fail with only slight variations in the specifics.

What I've advocated for a very long time is security solutions that deal with classes of attack not the specifics of a single attack. This way you do get lasting improvments in security.

So Taleb's idea is far from original as is the case for many of his pronouncments.

For those who don't quite see the difference between a specific and a class look at it this way,

A fire drill is an evacuation procedure through a designated (likely) safe route to a designated muster point where a roll call establishes if there are people left in the at risk area. It should be practiced on a sufficiently regular basis such that personnel regularly in the area know what to do without hesitation or panic etc.

We call it a "fire drill" but it's actually an "evacuation procedure" that is much more general and deals with many more emergancy situations than just the specific of "fire" so works for "bomb threat", "Chemical spill", "earth quake", "gas leak", "power loss" and all sorts of other "specific emergancies" which fall into the "class of emergancies" for which evacuation is the first sensible response.

You would have a hard time convincing anybody to have "specific evacuation plans" for all the specific emergancies that might arise unless there is a very clear and reasonable reason (as seen in some chemical plants). What generaly happens is the procedure is put in place for the most common risk (fire) and then modified slightly to cover other risks that would not otherwise be covered.

Thus a fire drill in most cases is "anti-fragil" and will probably work for as yet unexpected or unknown risks.

BUT and it's a big but, when you are dealing with "natural emergancies" such systems wil more than likely work, not so with planned attacks. A planned attack will usually take the prevention procedures into account and use them against the people in a given risk area.

Such attacks have been seen with "two bombs" where the attacker places a small bomb to cause the evacuation procedure to be invoked. The second bomb is placed at the muster point which is usually an area in the open such as a carpark etc where a larger bomb can be concealed and thus cause significantly more damage.

It is for this reason that "anti-fragile" is a nice meme but is unlikely to work.

To get it to work against an inteligent adversary it needs to be even more generalised and importantly rapidly adaptable. This requires an inteligent or learning system which can respond almost as rapidly as the attack. Currently we don't have automated systems with the required inteligence or humans with the required response time.

This means falling back on a defensive system where you only alow which must be alowed and disalow all else. Whilst this might be made to work in a high security environment such as the NSA etc it is grossly inefficient and could not realisticaly survive in a modern business environment. This is simply because the lack of responsivness means it can be out manovered in any sensible market place by smaller more adaptable organisations.

In fact we see this currently with many large organisations that cannot respond quickly they only survive by having secondary protections such as patents and copyright they can exploit to in effect close the market to competition. However this has it's own disadvantages, it generaly relies on "equity of arms" in the major players and a beliefe in "mutualy assured destruction" if "any major player resorts to arms against another major player". In this respect it is going to be interesting to see what happens to Apple over mobile phones (although it appears to be quietening down currently).

[1] The most awkward problem being that of the mutation of existing disease into new forms. That is a new disease is a mutation not compleatly new, thus a generalised immune response will give protection to other as yet unseen disease simply because it's mutated from a seen disease. Mostly this is not true for new attack vectors in security systems.

Bob TMay 29, 2013 8:16 AM

I like this guy's comment.

I tell my friends in Serbia about the huge corruption and increasing manipulation and the loss of individual rights in this money printing press backyard, and after the pause they reply: "you have android or iphone"?

Bob TMay 29, 2013 8:34 AM

I think what taleb is saying is what Mark Zuckerberg said.

"A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa." -- Mark Zuckerberg
"Keep you doped with religion and sex and TV And you think you're so clever and classless and free But you're still ****ing peasants as far as I can see" -- John Lennon, "Working Class Hero"

The so called news media knows this and feeds it to the people in generous helpings. Personally, I think it's just human nature and the people who decide what goes on the news are social media users, as well. Besides, "jounalists" get their jobs for being good looking rather than being good journalists.

شنيرMay 29, 2013 8:54 AM

Taleb is FOS. I was talking with friends in Beirut this weekend when they said they had to go watch Nasrallah's tv address, which everyone knows has huge consequences for Lebanon's fragile stalemate between March 8 and March 14. When the rockets hit the Dahieh next day, I heard about it on social first because everyone was talking about it just because it was so f*cking predictable after Nasrallah committed Lebanon to propping up Assad.

What killed lots and lots and lots of people in Lebanon is not pita but sectarian conflict, and everyone is wary of it especially when there's a major threat of reigniting this conflict.

Brian Krebs is the Chris Hansen of Cyber SecurityMay 29, 2013 9:43 AM

Gluten kills more people than terrorism and the FDA continues to use it in their Food Pyramid!

NobodySpecialMay 29, 2013 11:45 AM

@Clive Robinson - I assumed that was what the Boston marathon bombing was.
Plant a small inconsequential bomb that would get lots of publicity in a city that has strong democrat politics.

That guarantees the president would turn up the next day for some sort of memorial/event in one of the 2 or 3 places that could be used for this. The secret service have only 12-24 hours to do a security check so could easily miss a large bomb that had been installed a month before.

Fortunately all the competent professional terrorists in Boston are now officially retired


Dirk PraetMay 29, 2013 7:46 PM

According to UN Human Rights Council "Implementation of General Assembly Resolution 60/251 of 15 March 2006 entitled Human Rights Council" and Commission of Enquiry on Lebanon, 23 November 2006 (p.18), the civil war in Lebanon lasting from 1975 to 1990 resulted in an estimated 120,000 fatalities. To date, there is sporadic sectarian violence between several factions, all of which armed to the teeth.

Hassan Nasrallah's recent backing of the Assad regime in Syria has opened up old wounds. His Iran-backed (Shia) Hesbollah militia has been clashing with Sunnis sympathetic to Syrian rebels, leaving about 20 dead and 200 wounded in the Tripoli area since last Sunday.

In a country where a squirrel on a surfboard or a nipslip of a celebrity are considered breaking news, I'd say that coverage of such events constitutes very valid journalism. Many political analysts agree that an escalation of this conflict has a serious potential of destabilising the precarious balance in Lebanon.

I am genuinely surprised that Mr. Taleb who was born and raised in Lebanon downplays to non-events what is currently going on there, especially when seen in the historical context I just described. It's probably true that what Mr. Taleb describes as killing people in Lebanon is indeed causing more casualties than sectarian violence is today, but entirely ruling out an escalation and the disastrous consequences thereof really makes me want to doubt his risk assessment skills as much as those of the average internet user he is referring to.

Danny MoulesMay 30, 2013 6:24 AM

"I guess the point is, the average Roman Citizen wouldn't be freaked out so much about a Scottish victory over Romans in Briton as much as we freak out about military engagements nowadays. Maybe."

Barbarians destroying a part of civilization?! Citizens being butchered and raped by trouser-wearing mountain-dwellers?! The Senate shan't stand for this! As one of your trusted Consuls I will not let this atrocity go unpunished - and if we should have thousands more slaves to bring back to Rome all the better...

...seriously though... you can't muster ten of thousands of people (a huge deal in those days, esp. when you consider they would all be conscripts torn from their homes) without giving the citizenry something to shout about to justify the action. Much of Roman politics was based around the perception of regimes in far away states; mass social manipulation, whilst it presented differently, was a massive factor. The rhetoric was astounding: Extremely hawkish, conservative with a massive war economy. They formalised the concepts of 'Ius Fetiale' and 'Casus Belli' to describe 'Just Wars' (religious or otherwise). This was a matter of political necessity, not simply an informal gesture but a serious aspect of senate politics. Not dissimilar to what we see from a particular state (that shall go unnamed) today...

What's more saddening now is that it's easier to get access to information that would disprove the assertions. You couldn't trek to Persia to ask then what they really thought of their 'tyrant' leader, but you can certainly phone someone in Lebanon to ask them how they feel about theirs. In spite of this people choose to consume mass media anyway for expediency.

Now that people have a choice between manipulated information and non-manipulated data they tend towards manipulated information because they don't feel in a position (rightly or wrongly) to acquire and interpret the data for themselves - for a wide variety of reasons. Many don't even go so far as to get their information from multiple sources; again, the reasons for this are myriad.

Clive RobinsonMay 30, 2013 8:45 AM

@ Danny Moules,

    Many don't even go so far as to get their information from multiple sources; again, the reasons for this are myriad

In the case of many of the more recent and younger journalists the reasons are fairly predictable,

1, What's the slant the owner wants?
2, What's the puffery the editor wants?
3, Who is going to give me opinion / quote compliant with 1&2?
4, How do I use 3 on those who's opinion is contrary to 1&2?
5, Will an Internet search cut out either 3 or 4?
6, Can I not bother with 3-5 and just make it up and get away with it?

We are increasingly seeing less and less of 3&4 in print and virtually none at all in OnLine pubs, where 5 and more frequently 6 are seen as if there are complaints the OnLine article eithe disappears or gets edited without comment.

For those credulous at this consult the Way Back machine or search engine caches. One Serial Offender in this area is the UK's Daily Mail online version where even at their best they fail to acknowledge their "Cut-n-Paste" from other web sites...

Oh and I've been told they only pay 40GBP per article irrespective of length or quality of journalism such as basic research...

Thus to make a basic living you'ld have to turn out 8-10 articles a day before anyone else does the same story before you and takes the money.

Under such "incentive" what do people expect to get?

Nosey ParkerMay 30, 2013 4:19 PM

Why isn't anyone calling a spade for what it is, a spade. Surely most people know the terrorism is largely the same thing that Vietnam was, that the dropping of excess tons of bombs on Laos was, and what Noam Chomsky says eventually will arrive here,, a way to arrive at using the bombs and various other weapons of mass destruction that the profiteers have been making for centuries on end to keep the population in line and the rulers in power. Come on, we all are stupid aren't we?

TrablousMay 31, 2013 10:22 AM

Nassim Taleb must live in some imaginary safety bubble. Here's what's really happening in Beirut and other cities:

"We don't distinguish between Syria and Lebanon anymore," Hajj Mohammed, the youthful militant leader told me. "We live under Shiite occupation just like the Syrians, and now are a finger in the fist of this jihad against Iran and their Zionist dog, Bashar [al-Assad]."

"But Hezbollah's problems are not contained to Qusayr. The party's assault on the beleaguered city was the final straw for some of Lebanon's Sunnis, who have long resented the Shiite movement's sway over the country's political scene. Within days, the worst fighting in years wracked Lebanon's flashpoint city of Tripoli killing nearly 30 people and wounding more than 100.

"One Islamist commander, while taking a break from fighting in his Tripoli neighborhood, told me last week that there were roughly 70 Lebanese Sunni fighters in Qusayr. His group had sent another 20 men in an attempt to support the city, but they couldn't break Hezbollah's lines, so returned to continue the battle in north Lebanon. "As long as Qusayr is surrounded, Jabal Mohsen will be surrounded," he said, referring to the Tripoli neighborhood dominated by Alawite supporters of Assad."

vianegativaMay 31, 2013 11:05 AM

Antifragile security systems can be developed, but it's difficult to make any one company antifragile.

If an organization can develop an incident detection and response capability, then conduct full-scale real pen-tests to strengthen the response capability, you arguably have an iatrogenic effect. This is difficult, and requires buy-in from the board and c-suites.

From an industry perspective, it's much easier to have antifragile organizations. Companies that don't do security correctly, or take undue risks can fail (if they're allowed to by government) - Via Negativa. This removes the weak and stupid organizations from the pool. It provides a negative incentive to others, and allows the strong to survive. Net, the industry gets stronger.

As far as the ME (middle east) is concerned; this is what occurs when constrained, "normalized" systems explode. It is the result of a half century of western intervention to remove volatility, propping up tin-pot dictators, re-forming the boundaries of nations based on some arbitrary British Lord's interpretation of how the world should be divided. When you normalize these systems and insulate nation states from volatility (Israel, Saudi, Iraq, Afghanistan, Jordan, Bahrain, Qatar, etc.) the likelihood for black swans to occur increases, and their inevitable impact becomes absolutely massive. There is no fixing this.

The US has started a hot proxy war with Russia. Welcome to WWIII. your package of unintended consequences seems to have arrived.

officerXJune 4, 2013 6:29 AM

Still going strong with the smart-ass trader 'tude then, Mr Taleb?

I'd love to see the referenced Roman risk assessing the world 2000 years later. They may have had everything just right for their world back then, but the point is that the world has changed faster than we have (can).

FlynnJune 6, 2013 11:56 PM

"We don't distinguish between Syria and Lebanon anymore," Hajj Mohammed, the youthful militant leader told me. "We live under Shiite occupation just like the Syrians, and now are a finger in the fist of this jihad against Iran and their Zionist dog, Bashar [al-Assad]."

Apparently Zionist is used to mean anything we don't like. Kind of like we use terrorist. The only thing this kid has a finger in is his ass, like most of the Middle Earth I mean Middle East.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..