How Risky Is It, Really?: Why Our Fears Don't Always Match the Facts
by David Ropeik
ISBN 978-0-07-162969-0. Amazon.com USD 16.47
Reviewed by Richard Austin 9/12/2010
Risk assessment and risk management are popular topics these days and it's very common to hear assertions that people are not really very good at either of them. Ropeik, a former broadcast journalist, now an instructor in Harvard's Continuing Education program, provides an entertaining overview of why we so often get decisions about risk wrong.
Chapter 1, "This is your brain on fear", delves into the physiological and neurological basis of how we respond to risk. While we're all familiar with the fight/flight/freeze responses, he provides a fascinating glimpse into how these are wired into the structure of our brains.
Chapter 2, "Bounded Rationality", surveys some of the reasons why our behavior deviates from what would be dictated by the pure, rational analysis of the attributes of a situation. A hint as to what is actually going on in these situations is given in the chapter subtitle "Because Reason Alone Can't Keep You Safe".
Chapter 3, "Fear Factors", examines what it is about a situation that contributes to our perception of risk and why we often either over or under estimate the degree of risk.
Chapter 4, "The Wisdom or the Madness of the Crowd", underlines the fact that risk perception has a social and cultural dimension. While deliberately exaggerated for effect, there's a lot of truth in the quote on p. 186 to the effect that "Whoever tells the stories of a culture really governs human behavior".
The final chapter, "Closing the Perception Gap", describes some ways the gap between the true risk in a situation and our perception of that risk can be closed.
He makes a very important point that the Perception Gap is neither right nor wrong - it is a natural characteristic of a "complex affective system composed of powerful biological roots, basic patterns of information processing, psychology, personal experiences, social and cultural influences and instincts, as well as careful conscious reasoning" (p., 188). In other words, simplistic advice such as "we need to be more rational", etc., really ignores the convoluted process creating our perception of risk. A better way forward is to recognize just how complex this phenomenon really is and to approach our decision making with an appreciation of those complexities. Ropeik uses a quote from Walter Scott on P. 214 to illustrate one technique, "A thousand fearful images and dire suggestions glance along the mind when it is moody and discontented with itself. Command them to stand and show themselves, and you presently assert the power of reason over imagination." In other words, we recognize that images (bodies glowing blue from radiation after a reactor meltdown; the torch of the Statue of Liberty barely breaking the surface of a world flooded by climate change, etc) color our perception of risk and consider that coloring when making our decisions.
Ropeik is an entertaining writer and peppers his exposition with frequent exercises that let you apply what he asserts and examine its effects on your decision making. He also provides a fairly extensive bibliography of references that can guide further study of the material. While you certainly won't go into your next risk management meeting and deliver a lecture on the physiological basis of risk perception, you will be much better prepared to understand the basis of human risk perception and do a much better job of controlling the influences that give rise to the Perception Gap. Since information security is, in many ways, all about managing risk, this is definitely a recommended read.
Before beginning life as an itinerant university instructor and security consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu