The way we frame risks influences perception

The long view of security strategies for your network.

In my previous column, I introduced the issue of the frustrating tendency of normal computer or network users to choose bad passwords (among other irritating habits) and pointed to a study showing that at least a third of our colleagues write down their passwords. I think that these findings are consistent with social scientists’ understanding of human perception of risk.

Basically, human beings are terrible at evaluating risk; all kinds of factors interfere with rational appraisal of risk.

For example, in the 1996 report Understanding Risk: Informing Decisions in a Democratic Society edited by Paul C. Stern and Harvey V. Fineberg (National Academy Press, ISBN 0-309-05396-X), there’s a reference to a famous study by B. J. McNeil and colleagues published in 1982 in New England Journal of Medicine (volume 306, pp 1259-1262). The scientists studied people’s willingness to undergo surgery or radiation; they offered different groups two complementary ways of understanding the risks - by mortality rates versus survival rates.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In my previous column, I introduced the issue of the frustrating tendency of normal computer or network users to choose bad passwords (among other irritating habits) and pointed to a study showing that at least a third of our colleagues write down their passwords. I think that these findings are consistent with social scientists’ understanding of human perception of risk.

Basically, human beings are terrible at evaluating risk; all kinds of factors interfere with rational appraisal of risk.

For example, in the 1996 report Understanding Risk: Informing Decisions in a Democratic Society edited by Paul C. Stern and Harvey V. Fineberg (National Academy Press, ISBN 0-309-05396-X), there’s a reference to a famous study by B. J. McNeil and colleagues published in 1982 in New England Journal of Medicine (volume 306, pp 1259-1262). The scientists studied people’s willingness to undergo surgery or radiation; they offered different groups two complementary ways of understanding the risks - by mortality rates versus survival rates.

For example, one group was informed that the survival rates at treatment were 100% for radiation and 90% for surgery; one year after treatment survival rates were reported as 77% for radiation vs. 68% for surgery; survival rates five years after treatment were 22% for radiation vs. 34% for surgery.

The other group was given exactly the same information, but it was framed as 0% mortality upon radiation treatment vs. 10% mortality for surgery; 23% mortality one year after radiation vs. 32% mortality one year after surgery; similarly, the five-year prognosis was 78% mortality for radiation vs. 66% for surgery.

I trust that you all see that, rationally, there’s no question that the radiation therapy was obviously worse than surgery.

The results were striking: 44% of the patients informed of the risk via mortality rates said they’d take the radiation, but only 18% of those told about survival rates chose radiation.

On the face of it, the results don’t make sense: Why would anyone respond differently to risk statistics as a function of wording? Stern and Fineberg and their colleagues suggest that people normally evaluate risk in a nonlinear fashion and that framing of problems exerts a profound effect on perception of risk. They go on to present fascinating results from other psychologists studying “prospect theory”; I leave further exploration of this subject to readers interested in the details.

The upshot is that we have to understand that users who have little personal experience of the risks associated with poor password management are unlikely to change their behavior simply because we security folks get irritated with them. We have to adapt to reality and take alternative measures to fight the scourge of lousy, written-down passwords.

In my next column, I’ll an authentication approach that works with instead of against normal human psychology.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.