Individually, we simple humans find risk a hard concept to manage. And if that’s true of individuals, it’s also true of groups which explains just why selling increased security or DR budgets to your executive Board is hard, and why actuaries are so well paid.
Bruce Schneier’s excellent post on perceived and actual risk is a great place to begin exploring how people understand risk. In particular, we’re very prone to exaggerating unlikely risks (“we’ll all fall prey to cyber attacks like Sony”) and downplaying common, but less serious risks (“our staff are storing presentations on Dropbox”). This is Nassim Nicholas Taleb’s Black Swan theory at play.
We’re also bad at understanding the very words used to describe probability. In a study which focused on people’s understanding of probability, researchers discovered the following: “Research on verbal probabilities has shown that unlikely or improbable events are believed to correspond to numerical probability values between 10% and 30%. However, building on a pragmatic approach of verbal probabilities and a new methodology, the present paper shows that unlikely outcomes are most often associated with outcomes that have a 0% frequency of occurrence.”
In an easier to understand example, the authors explain their findings:
“an improbable exam grade is one that has not yet been observed, rather than one that has been obtained by a small percentage of students”.
In other words we’ll infer probability from patterns in data, even when that data clearly shows our inference to be wrong.
In an article on risk, social psychologist Eric Horowitz describes many of the underlying causes – being very conscious of our innate and very human flaws when communicating risk is key. Choosing the right language and carefully explaining potentially confusing data or tricky terminology is critical. Know your audience, and take time to explain.
The case of TJ Hooper
Risk in the workplace is often most commonly dealt with when considering compliance or exposure to unlikely, but damaging costs. In technology terms, we most frequently deal with risk calculation in two areas – Business Continuity and Security.
The case of the TJ Hooper, a tug boat assigned the to caretake three barges in New York in 1928, set a precedent in US law that is still applicable to any risk in business today. The TJ Hooper, as was customary at the time, didn’t have a radio fitted due to the relatively high cost and prevailing wisdom that they weren’t required. When a storm hit the TJ Hooper and her barges, sinking the barges and destroying the cargo, it was perhaps unsurprising that the cargo owners started a chain of law suits.
Judge Hand, who presided over the case, ruled that the barge owners were at fault for not fitting the TJ Hooper with a radio. Specifically, he proclaimed
“There are precautions so imperative that even their universal disregard will not excuse their omission”
Judge Hand’s decision was later formalised into the Calculus of Negligence by Richard Posner in the Economic Analysis of Law, stating that an act is in breach of a duty of care if:
B<PL
Where B is the cost incurred to take necessary precautions, P is the probability of loss and L is the gravity of loss. This equation is a simple touchstone for anyone faced with explaining why a cost is necessary. If, of course, you can adequately explain P…