Entries Tagged "risks"

Page 8 of 16

Five "Neglects" in Risk Management

Good list, summarized here:

1. Probability neglect – people sometimes don’t consider the probability of the occurrence of an outcome, but focus on the consequences only.

2. Consequence neglect – just like probability neglect, sometimes individuals neglect the magnitude of outcomes.

3. Statistical neglect – instead of subjectively assessing small probabilities and continuously updating them, people choose to use rules-of-thumb (if any heuristics), which can introduce systematic biases in their decisions.

4. Solution neglect – choosing an optimal solution is not possible when one fails to consider all of the solutions.

5. External risk neglect – in making decisions, individuals or groups often consider the cost/benefits of decisions only for themselves, without including externalities, sometimes leading to significant negative outcomes for others.

Posted on August 22, 2012 at 12:34 PMView Comments

Overreaction and Overly Specific Reactions to Rare Risks

Horrific events, such as the massacre in Aurora, can be catalysts for social and political change. Sometimes it seems that they’re the only catalyst; recall how drastically our policies toward terrorism changed after 9/11 despite how moribund they were before.

The problem is that fear can cloud our reasoning, causing us to overreact and to overly focus on the specifics. And the key is to steer our desire for change in that time of fear.

Our brains aren’t very good at probability and risk analysis. We tend to exaggerate spectacular, strange and rare events, and downplay ordinary, familiar and common ones. We think rare risks are more common than they are. We fear them more than probability indicates we should.

There is a lot of psychological research that tries to explain this, but one of the key findings is this: People tend to base risk analysis more on stories than on data. Stories engage us at a much more visceral level, especially stories that are vivid, exciting or personally involving.

If a friend tells you about getting mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than reading a page of abstract crime statistics will.

Novelty plus dread plus a good story equals overreaction.

And who are the major storytellers these days? Television and the Internet. So when news programs and sites endlessly repeat the story from Aurora, with interviews with those in the theater, interviews with the families, and commentary by anyone who has a point to make, we start to think this is something to fear, rather than a rare event that almost never happens and isn’t worth worrying about. In other words, reading five stories about the same event feels somewhat like five separate events, and that skews our perceptions.

We see the effects of this all the time.

It’s strangers by whom we fear being murdered, kidnapped, raped and assaulted, when it’s far more likely that any perpetrator of such offenses is a relative or a friend. We worry about airplane crashes and rampaging shooters instead of automobile crashes and domestic violence—both of which are far more common and far, far more deadly.

Our greatest recent overreaction to a rare event was our response to the terrorist attacks of 9/11. I remember then-Attorney General John Ashcroft giving a speech in Minnesota—where I live—in 2003 in which he claimed that the fact there were no new terrorist attacks since 9/11 was proof that his policies were working. I remember thinking: “There were no terrorist attacks in the two years preceding 9/11, and you didn’t have any policies. What does that prove?”

What it proves is that terrorist attacks are very rare, and perhaps our national response wasn’t worth the enormous expense, loss of liberty, attacks on our Constitution and damage to our credibility on the world stage. Still, overreacting was the natural thing for us to do. Yes, it was security theater and not real security, but it made many of us feel safer.

The rarity of events such as the Aurora massacre doesn’t mean we should ignore any lessons it might teach us. Because people overreact to rare events, they’re useful catalysts for social introspection and policy change. The key here is to focus not on the details of the particular event but on the broader issues common to all similar events.

Installing metal detectors at movie theaters doesn’t make sense—there’s no reason to think the next crazy gunman will choose a movie theater as his venue, and how effectively would a metal detector deter a lone gunman anyway?—but understanding the reasons why the United States has so many gun deaths compared with other countries does. The particular motivations of alleged killer James Holmes aren’t relevant—the next gunman will have different motivations—but the general state of mental health care in the United States is.

Even with this, the most important lesson of the Aurora massacre is how rare these events actually are. Our brains are primed to believe that movie theaters are more dangerous than they used to be, but they’re not. The riskiest part of the evening is still the car ride to and from the movie theater, and even that’s very safe.

But wear a seat belt all the same.

This essay previously appeared on CNN.com, and is an update of this essay.

EDITED TO ADD: I almost added that Holmes wouldn’t have been stopped by a metal detector. He walked into the theater unarmed and left through a back door, which he propped open so he could return armed. And while there was talk about installing metal detectors in movie theaters, I have not heard of any theater actually doing so. But AMC movie theaters have announced a “no masks or costumes policy” as a security measure.

Posted on August 3, 2012 at 6:03 AMView Comments

The Ubiquity of Cyber-Fears

A new study concludes that more people are worried about cyber threats than terrorism.

…the three highest priorities for Americans when it comes to security issues in the presidential campaign are:

  1. Protecting government computer systems against hackers and criminals (74 percent)
  2. Protecting our electric power grid, water utilities and transportation systems against computer or terrorist attacks (73 percent)
  3. Homeland security issues such as terrorism (68 percent)

Posted on May 24, 2012 at 11:31 AMView Comments

Kip Hawley Reviews Liars and Outliers

In his blog:

I think the most important security issues going forward center around identity and trust. Before knowing I would soon encounter Bruce again in the media, I bought and read his new book Liars & Outliers and it is a must-read book for people looking forward into our security future and thinking about where this all leads. For my colleagues inside the government working the various identity management, security clearance, and risk-based- security issues, L&O should be required reading.

[…]

L&O is fresh thinking about live fire issues of today as well as moral issues that are ahead. Whatever your policy bent, this book will help you. Trust me on this, you don’t have to buy everything Bruce says about TSA to read this book, take it to work, put it down on the table and say, “this is brilliant stuff.”

I’m hosting Kip Hawley on FireDogLake’s Book Salon on Sunday at 5:00 – 7:00 PM EDT. Join me and we’ll ask him some tough questions about his new book.

Posted on May 18, 2012 at 6:06 AMView Comments

Research into an Information Security Risk Rating

The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals:

Existing risk management techniques are based on annual audits and only provide a snapshot of a partner’s security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all its partners and proactively manage assumed risks. The Phase II research objective is to build a scalable fully-automated ratings system. The research will focus on identifying and incorporating new data sources, improving the statistical properties of the ratings model, and making the ratings predictive of future behavior.

Historically, credit scoring has been a “cost and time-saving technology” that has provided tremendous value to lenders and borrowers alike by reducing costs, predicting future performance, and improving credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their information security risk. With Saperix’s ratings service, businesses and government will have the potential to reap the same time and cost savings that lenders do from credit scoring services. If the research is successful, Saperix’s solution would provide market incentives for improving security outcomes, which would be a significant change in how security investments are viewed by businesses.

I have no idea if this is snake oil or if it actually works, but note that this is a Phase II award. There was already a Phase I award, and the NSF must have liked the results from that.

Posted on January 25, 2012 at 6:44 AMView Comments

Collecting Expert Predictions about Terrorist Attacks

John Mueller has been collecting them:

Some 116 of these Very People were surveyed in 2006 by Foreign Policy magazine in a joint project with the Center for America Progress. The magazine stressed that its survey drew from the “highest echelons of America’s foreign policy establishment” and included the occasional secretary of state and national security adviser, as well as top military commanders, seasoned members of the intelligence community, and academics and journalists of the most “distinguished” nature. Over three-quarters of them had been in government service, 41 percent for over ten years. The musings of this group, it was proposed, could provide “definitive conclusions” about the global war on terror.

The Very People were asked to put forward their considered opinions about how likely it was that “a terrorist attack on the scale of 9/11” would again occur in the United States by the end of 2011—that is, by last Saturday.

Fully 70 percent found it likely and another 9 percent proclaimed it to be certain. Only 21 percent, correctly as we now know, considered it unlikely.

I’ve never heard this particular quote before, and find it particularly profound:

In 2004, Russell Seitz plausibly proposed that “9/11 could join the Trojan Horse and Pearl Harbor among stratagems so uniquely surprising that their very success precludes their repetition”….

More predictions here.

Posted on January 10, 2012 at 6:56 AMView Comments

Assessing Terrorist Threats to Commercial Aviation

This article on airplane security says many of the same things I’ve been saying for years:

Given the breadth and complexity of threats to commercial aviation, those who criticize the TSA and other aviation security regulatory agencies for reactive policies and overly narrow focus appear to have substantial grounding. Three particularly serious charges can be levied against the TSA: it overemphasizes defending against specific attack vectors (such as hijackings or passenger-borne IEDs) at the expense of others (such as insider threats or attacks on airports); it overemphasizes securing U.S. airports while failing to acknowledge the significantly greater threat posed to flights arriving or departing from foreign airports; and it has failed to be transparent with the American people that certain threats are either extremely difficult or beyond the TSA’s ability to control. Furthermore, the adoption of cumbersome aviation security measures in the wake of failed attacks entails a financial burden on both governments and the airline industry, which has not gone unnoticed by jihadist propagandists and strategists. While the U.S. government has spent some $56 billion on aviation security measures since 9/11, AQAP prominently noted that its 2010 cargo plot cost a total of $4,900.

The author is a former Delta advisor. Wired talked to him:

Brandt says aviation security needs a fundamental overhaul. Not only is the aviation industry failing to keep up with the new terrorist tactics, TSA’s regimen of scanning and groping is causing a public backlash. “From the public’s perspective, this kind of refocusing would reduce the amount of screening they have to put up with in the United States,” Brandt tells Danger Room, “and refocus it where it’s needed.”

[…]

None of this is going to be easy, or cheap. Brandt proposes that the government subsidize airlines for better employee background checks or explosives detection tech. But that’s could strike taxpayers as a bailout.

On the other hand, he and Pistole actually share the same headspace, so it’s possible that TSA will buy his overall critique. “The best defense is still developing solid intelligence on terrorist groups interested in targeting aviation,” Brandt says. Beats treating us all like terrorists.

Or, as I say: investigation, intelligence, and emergency response.

Posted on December 13, 2011 at 12:46 PMView Comments

1 6 7 8 9 10 16

Sidebar photo of Bruce Schneier by Joe MacInnis.