Andy Ellis on Risk Assessment

Andy Ellis, the CSO of Akamai, gave a great talk about the psychology of risk at the Business of Software conference this year.

I’ve written about this before.

One quote of mine: “The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008.”

EDITED TO ADD (12/13): Epigenetics and the human brain.

Posted on December 6, 2019 at 6:55 AM11 Comments


Edward December 6, 2019 8:58 AM

Some parts of our brains may still function at the level they did in 100,000 BC, but not all of them. Evolution did not grind to a halt at that point. Even if we reject the idea that that our brains have changed genetically, they have certainly changed due to epigenetics.

This is a good discussion of epigenetics and the human brain:

From the same source, there is evidence that epigenetic changes can be inherited:

I tend to think that we are still evolving ways to deal with modern risk. We don’t step out in front of cars (usually) even though there were no cars 100,000 years ago. We have learned to multi-task in relation to modern dangers just as we had to in relation to East African predators.

Perhaps computer security is still too abstract for us, but we can and some of us do develop a seemingly instinctive distrust of phishing attempts, email attachments and similar enticements to risky cyber-behavior.

JonKnowsNothing December 6, 2019 12:36 PM

re: Evolution of Brain Systems

hmmm well maybe not exactly like you think…

There is an inherent bias for “progression” where “progression” is defined by “what we want”. This is not always the case. Evolution does not necessarily mean we learn to adapt or avoid anything especially those things that we currently define as “needing” adaptation.

People are not “adapting” to technology, they are “addicted” to technology.

People are not “adapting” to “Not Getting Run Over” by chariots, horses, stampeding cows, human driven cars or automated driven cars. We die very handily just the same. (there is another SBlog on this)

When animals sense a predator they do not generally stand in front of it. People not walking in front of cars, treat the approaching car like a predator, same as if it where a lion.

When animals and people do not sense a predator, they become road-kill. AI Driven cars are more dangerous in this aspect because at least humans, have some idea of that a human driver may do. They have no experience with AI Driven cars and cannot know if running forward, standing still or running away will allow the Predator-Car to pass them by safely.

Animals who have as long or longer a history as humans, still have not evolved any “evolutionary” adaptation to cars or trucks. Some animals can learn to tolerate or can be desensitized to the sounds and movement of trucks and cars but this is not a hereditary evolution in their genetics. Each horse must learn tolerance and some never do.

Humans have to be desensitized too, we don’t pass on automatic inherited acceptance of even natural phenomena like: your first thunderstorm.

Failure to comprehend something outside of your sphere of knowledge results in Death. The roadways are littered with the No-Progression-Evolutionary effects. Tiny creatures may not even notice the giant fly swatter about to splatter them.

Humans are nothing more than targets for Technology Fly Swatters. Expecting an Evolutionary Genetically Transferable understanding is an unlikely outcome.

Willem December 6, 2019 12:39 PM

Gerd Gigenzer makes, following Frank Knight, a distinction between Risk (measureble) and Uncertainty (not measurable). Our brains are wired for working under uncertainty, not risk. We take all kinds of cues into account in our mental model to produce workable outcomes. In the case of uncertainty that means we often have usable heuristics for solving complex situations. In the case of risk, that leads us astray when compared to the mathematical model that solves the puzzle. See [1] (text above is partly an interpretation)


Clive Robinson December 6, 2019 3:39 PM

@ Bruce,

“The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008.”

And thereby hangs the problem.

Even with the now acknowledged jumps in evolotion the proces is generaly measured in hundreds of generations. In fact if we could go back 2000 years or bring someone forward 2000years the difrences would not be that much and mainly due to better nutrition, health care, and localised environment control.

The thing that does change over the relatively short term of five to ten generations is epigenetics, but so far these have not been linked to mental capabilities (though some argue about ASDs).

The problem with technology is that it has a generation every 18 +-6 months in electronics and mechanical devices like engines every 30 +-10 years. Supeisingly perhaps is building technology is actually speeding up with generational times in some areas been in decades or half decades.

The upshot is the human mind is in reality never going to evolve as fast as technology. In fact technology will get not just away from us but ahead of as and many think this kind of happened in the early half of the 1980’s.

Thus the issue arises as to how far ahead are we as a society prepared to let it get. History shows people smashing up early machines or throwing wooden shoes (sabot) into them in revolt. Realistically there is absolutely no reason to think such social unrest will not happen again, only more violently as the technology makers become more entrenched with governments thus in part protected by the “guard labour”.

So we kind of have three choices,

1, Try and play catchup by specialist education.
2, Try to “muddle along” as we currently do.
3, Revolution to take society back in time a half century or couple of centuries.

Some seriously believe there will be a revolution and after a few short wildernes years where people who can not survive without technology die out along with the technology, and we end up living some kind of pre-mechanised rural lifestyle.

Personaly whilst I can see technology colapsing in on it’s self as we see with less and less reliable machines and software, I think that whilst there will be an almost lawless adjustment phase it will bring some respite. Which will alow things to level out somewhat, in that people will spend a lifetime with two or less generations of technology changes not the 30-40 generations of technology change some one of our ages has seen.

But the message is clear, we as a race can not actually live with the rapid change of progress. Something that even “life long learning” can not keep us abrest of.

We know this by simple observation. If we look at “malware” whilst it changes, those with a responsability to deal with it, don’t have the time to learn what has happened in the past. The result of this is “the industry forgets” thus things that were found and exploited thirty years ago, are comming back all be it in a slightly different form. Whilst some of the older generations remember the events and might actually have “history files” and the like detailing the issues and how they were previously detected and negated. Those younger have to “relearn on the point of a sword” or either get lucky or eaten alive.

Our past is what makes us what we are and gives us the foundations on which to build the future. If we lose that foundation knowledge, then we are going to be cursed with the same old mistakes over and over, thus no future just stagnation.

So untill we do take the time to relearn those things that do form our foundations properly we will relive history needlessly.

vas pup December 7, 2019 4:16 PM

Thank you for the link and very good presentation.

I just curiuous do you ask Moderator to pay attention to the answer at the end of presentation (about 1h 4min)?

I love his point!


@Edward: I’ll definitely look in details at the links you’ve provided lately. Thank you.

TRX December 7, 2019 4:52 PM

Andy Ellis, the CSO of Akamai,

Up until well after the turn of the century our only connection to the net was via dial-up. We paid by the minute, and the lines were so poor we seldom got a connect faster than 2400 baud.

So I’d sit there with a page stalled, watching the clock ticking money away, before advertisements would load. Netscape told you the URLs the page was trying to hit on the bottom status line, something that was pretty handy. Eventually I noticed that it was almost always [something]akamai[something] that was holding things up. And then I found out how to short-circuit that via the “hosts’ file.

This was before there were “content delivery networks”, as they like to style them now. Back then Akamai was still just an ad server, trying to cram high-resolution graphics and low-resolution video down my 2400 baud pipe at my expense.

As far as I’m concerned they’re thieves, and they owe me for all the stolen bandwidth I had to pay for. And just the word “Akamai” smears anything they might be trying to say now with the feces of their previous behavior.

Maybe Akamai, and Doubleclick, and the others were no big deal if you had ISDN or one of those “all the 56K you can use for $10 a month” deals, but my hatred of them and their “business model” remains fresh.

Clive Robinson December 7, 2019 11:42 PM

@ TRX,

As far as I’m concerned they’re thieves, and they owe me for all the stolen bandwidth I had to pay for.

You are not the only one to remember such evil. Worse it did not stop with dial up, it carried on with mobile broadband and still does… But even if you’ve got no data caps, it’s still your life they are stealing.

Yes you cam turn off javascript and see pages load five or ten times faster, but then some website owners have the temerity of accusing you of stealing their content (Condé Nasty being but one).

Others on my “burn slowly and painfully in hell” are the likes of Microsoft with their near compulsory forever download patches. Then any one remember their push to get Windoze10 on everyone who real realy did not want it? Oh and of course nowerdays their latest spy-ware AKA telemetry.

Something unfortunately some major Linux distros are now joining in with (along with leaving out usefull tools and documentation you could use to stop it).

Welcome to the world of living in a goldfish bowl and paying through the nose for it every which way they can make you…

Clive Robinson December 8, 2019 12:12 AM

@ TRX,

Oh I forgot to add in this refrence in my above,

Yes Akamai and Microsoft got joined at the hip to steal peoples data and time etc.

Apparently upto a third of Web Traffic is from Akamai sites, much of it redirected from where the user actually wanted to go to…

So the evil persists to this day, as Akamai say,

    Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics, and 24/7/365 monitoring.

Which if you read it in reverse translates to,

    Permanent all the time, pervasive monitoring of users actions, pays for the tools used to spy on them, which we con other companies into paying extra profit to Akamai for.

So yeh cats don’t change their spots or stripes, just learn to play with their prey in more tourturous ways.

Electron 007 December 8, 2019 10:13 AM

psychology of risk

The entire field of psychology is all about arbitrarily labeling individuals as “risks” to themselves, others, and society, imposing “mental health care” on them on an involuntary basis, and placing them on FBI, ATF, NICS and various other national and international ban lists and blacklists as mental detectives and social undesirables, consigned to the ghettos and gas chambers for life without parole by a fiat justice system of Orwellian notions of “thoughtcrime” and “precrime” …

Petre Peter December 9, 2019 7:12 AM

Every time I get sweaty palms, my amygdala’s inerupts take priority over the neocortex.

vas pup December 9, 2019 1:48 PM

@Edward: Thank you very much! Finally, moved inside amazing links provided.
For this blog, risk taking pattern/activity selection of kids substantially depends on same in parents by multiple mechanism, but epigenetic plays substantial part I guess.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.