Why are people so bad at risk assessment? Blame the brain

Stakeholders and CISOs tend to have different perspectives on estimating the risk of a potential cybersecurity incident. Understanding the psychological aspects can help bridge the gap.

risk assessment - safety analysis - security audit
Thinkstock

Almost four decades have passed since the release of Brain, one of the first computer viruses that traveled the world. Since then, we've witnessed a wide range of attacks: Stuxnet destroyed almost a fifth of Iran's nuclear centrifuges, WannaCry infected computers in 150 countries, ransomware gangs stole millions of US dollars, and thousands of companies have been affected by data breaches. Yet, despite that, many organizations still underestimate the risk of a potential cybersecurity incident.

As humans, we've developed a danger detection system to protect against concrete threats, such as wolves, bears, and other predators. When it comes to the relatively new field of cybersecurity, it's different. "The risk of a cyberattack seems a pretty abstract concept," says Ralf Schmälzle, assistant professor at Michigan State University. "We cannot sense the danger."

Schmälzle, who studies the brain mechanisms of successful risk communication, said that danger means different things to different people. It's an “uncertain judgment,” meaning that it's very subjective. "The problem with computer safety and viruses is that you don't feel any risk," he says.

In many organizations, there appear to be two sides: stakeholders and CISOs. "Stakeholders, who have never looked at firewall logs to see how many attacks are continuously happening, tend to be overly relaxed and believe that CISOs are overly paranoid," says Stefan Tanase, cyberintelligence expert at CSIS Group. "The two sides, stakeholders and CISOs, have different opinions and it's difficult for them to understand the other perspective."

Academics specializing in risk assessment and management said barriers prevent us from understanding risk, including our biases, our experience of similar incidents, and even our perceived performance at work, which can influence our willingness to take chances.

What prevents us from assessing risk correctly?

To continue reading this article register now

Microsoft's very bad year for security: A timeline