In my previous column, I introduced the issue of the frustrating tendency of normal computer or network users to choose bad passwords (among other irritating habits) and pointed to a study showing that at least a third of our colleagues write down their passwords. I think that these findings are consistent with social scientists’ understanding of human perception of risk.

Basically, human beings are terrible at evaluating risk; all kinds of factors interfere with rational appraisal of risk.

For example, in the 1996 report Understanding Risk: Informing Decisions in a Democratic Society edited by Paul C. Stern and Harvey V. Fineberg (National Academy Press, ISBN 0-309-05396-X), there’s a reference to a famous study by B. J. McNeil and colleagues published in 1982 in New England Journal of Medicine (volume 306, pp 1259-1262). The scientists studied people’s willingness to undergo surgery or radiation; they offered different groups two complementary ways of understanding the risks - by mortality rates versus survival rates.

For example, one group was informed that the survival rates at treatment were 100% for radiation and 90% for surgery; one year after treatment survival rates were reported as 77% for radiation vs. 68% for surgery; survival rates five years after treatment were 22% for radiation vs. 34% for surgery.

The other group was given exactly the same information, but it was framed as 0% mortality upon radiation treatment vs. 10% mortality for surgery; 23% mortality one year after radiation vs. 32% mortality one year after surgery; similarly, the five-year prognosis was 78% mortality for radiation vs. 66% for surgery.

I trust that you all see that, rationally, there’s no question that the radiation therapy was obviously worse than surgery.

The results were striking: 44% of the patients informed of the risk via mortality rates said they’d take the radiation, but only 18% of those told about survival rates chose radiation.

On the face of it, the results don’t make sense: Why would anyone respond differently to risk statistics as a function of wording? Stern and Fineberg and their colleagues suggest that people normally evaluate risk in a nonlinear fashion and that framing of problems exerts a profound effect on perception of risk. They go on to present fascinating results from other psychologists studying “prospect theory”; I leave further exploration of this subject to readers interested in the details.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.