The way we frame risks influences perception

Security Strategies This newsletter is sponsored by Fluke Networks Whitepaper: Secure network from inside Are internal threats wreaking havoc on your network? Looking to keep your network and its users safe? This paper outlines causes and explains how having the proper tool enables you to quickly identify security threats and stop them. Network World's Security Strategies Newsletter, 10/09/07 The way we frame risks influences perception By M. E. Kabay In my previous column, I introduced the issue of the frustrating tendency of normal computer or network users to choose bad passwords (among other irritating habits) and pointed to a study showing that at least a third of our colleagues write down their passwords. I think that these findings are consistent with social scientists’ understanding of human perception of risk. Basically, human beings are terrible at evaluating risk; all kinds of factors interfere with rational appraisal of risk. For example, in the 1996 report Understanding Risk: Informing Decisions in a Democratic Society edited by Paul C. Stern and Harvey V. Fineberg (National Academy Press, ISBN 0-309-05396-X), there’s a reference to a famous study by B. J. McNeil and colleagues published in 1982 in New England Journal of Medicine (volume 306, pp 1259-1262). The scientists studied people’s willingness to undergo surgery or radiation; they offered different groups two complementary ways of understanding the risks - by mortality rates versus survival rates. Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. For example, one group was informed that the survival rates at treatment were 100% for radiation and 90% for surgery; one year after treatment survival rates were reported as 77% for radiation vs. 68% for surgery; survival rates five years after treatment were 22% for radiation vs. 34% for surgery. The other group was given exactly the same information, but it was framed as 0% mortality upon radiation treatment vs. 10% mortality for surgery; 23% mortality one year after radiation vs. 32% mortality one year after surgery; similarly, the five-year prognosis was 78% mortality for radiation vs. 66% for surgery. I trust that you all see that, rationally, there’s no question that the radiation therapy was obviously worse than surgery. The results were striking: 44% of the patients informed of the risk via mortality rates said they’d take the radiation, but only 18% of those told about survival rates chose radiation. On the face of it, the results don’t make sense: Why would anyone respond differently to risk statistics as a function of wording? Stern and Fineberg and their colleagues suggest that people normally evaluate risk in a nonlinear fashion and that framing of problems exerts a profound effect on perception of risk. They go on to present fascinating results from other psychologists studying “prospect theory”; I leave further exploration of this subject to readers interested in the details. The upshot is that we have to understand that users who have little personal experience of the risks associated with poor password management are unlikely to change their behavior simply because we security folks get irritated with them. We have to adapt to reality and take alternative measures to fight the scourge of lousy, written-down passwords. In my next column, I’ll an authentication approach that works with instead of against normal human psychology.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. iPod Nano catches fire in man's pocket 2. Two schools flunk Cisco switches 3. SAP to buy Business Objects for $6.78B 4. Top 10 reasons Web sites get hacked 5. Vonage buys way out of Sprint patent flap 6. Cisco aims to sway FCC on digital TV 7. Why Google's GPhone won't kill iPhone 8. The best and worst vendor blogs 9. Salary survey: IT pay falls short 10. 10 best Cisco videos on YouTube MOST-DOWNLOADED PODCAST: 5 cool iPod tricks and tips

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Fluke Networks Whitepaper: Secure network from inside Are internal threats wreaking havoc on your network? Looking to keep your network and its users safe? This paper outlines causes and explains how having the proper tool enables you to quickly identify security threats and stop them. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007