The Fundamentals of Risk Management: Risk Literacy & Perception

It's nearly pointless to start talking about security and risk management if the other party is risk illiterate and our risk perceptions are not aligned. Risk literacy is absolutely mandatory and a prerequisite, in order to deploy security controls, or shape culture in an organization, and actually this acknowledgment should be part of an ongoing training program that should take place.

Obviously, the word 'risk' has many uses (e.g., exposure to danger and loss; variability in probability distributions; the effect of uncertainty on objectives), but within this context, the risk this article is concerned with, is related to information security risks. So, generally speaking, the risk may be divided into 6 major risk categories:

• Health and safety risk. General health and safety risks can be presented in a variety of forms, regardless of whether the workplace is an office or construction site.
• Reputational risk. All businesses have a reputation to maintain, with their stakeholders, including investors, employees, and of course, customers.
• Operational risk. Although day-to-day operations are often tried and tested to minimize dangers, incidents or unexpected circumstances could still take place.
• Strategic risk. While the day-to-day operations of any organization are important, managing the organization's strategic goals are fundamental to future success.
• Compliance risk. Government bodies have in place an array of industry laws, regulations, policies, and best practices in place to ensure ethical business practices.
• Financial risk. Most types of risk have financial consequences, like extra costs or lost revenue. Financial risk, though, specifically refers to money flowing in and out of your business and the chance for sudden financial loss.

Information security risks are part of the operational risk and may lead to reputational, compliance, and financial risks. Furthermore, safety risks may lead to information security risks, eg. an earthquake or a fire in a data center. So the above categories are much more interrelated in several ways. This interrelation and complexity require risk literacy and proper risk perception in order to 'manage' risk.

There is enough scientific research to prove that the lack of understanding fundamentals of risk affects decision-making. If you're involved in risk management at your organization, there’s sure to be a great deal of responsibility placed on your shoulders to ensure that not only threats to your organization are managed, but that your company is positioned to meet its objectives and make informed decisions.

As already said, risk perception is also another factor that affects the decision-making process. There are several determinants that influence risk perception. Primary among these is trust. If the recipient of a message does not trust the source, it is likely that the message will not be believed. Trust between experts and the public is dependent upon effective risk communication. The delivery of accurate and transparent information is a critical element of gaining trust.

Studies have shown that there are two pathways through which the amygdala's fear responses can be triggered: a fast "low road" from the thalamus to the amygdala, and a slower "high road" that passes from the thalamus to the neocortex, and only then to the amygdala, said LeDoux. The two paths do not always reach the same conclusions, he explained. The relatively crude "low road" may respond to a long, thin object as a dangerous snake--and trigger an immediate fear response--while the slower "high road" is determining that the object is a harmless stick.

Evolutionarily speaking, it may make sense for the faster pathway to err on the side of caution, said LeDoux; after all, "it's probably better to treat a stick as a snake than a snake as a stick." But the disconnection between "low" and "high" roads, which was first discovered in rats but has since been corroborated in humans, could also be responsible for some psychopathologies. "We know that lots of people have fears that they can't come to conscious terms with," said LeDoux. "People who have pathological fears may be treating sticks as snakes all the time, metaphorically."

Considering both of the above factors: risk literacy and perception in risk management programs will certainly facilitate the progress towards a more successful outcome and build sustainable risk culture in any organization.

Do you understand risk?
Click below to find out how risk literate you are compared to educated people from around the world. It takes only 2 minutes to find out:

I urge you to watch Gerd Gigerenzer at TEDxZurich talking about 'Risk literacy'.
Gerd Gigerenzer is a German psychologist who has studied the use of bounded rationality and heuristics in decision making. At the time this post was written, Gigerenzer is director emeritus of the Center for Adaptive Behavior and Cognition (ABC) at the Max Planck Institute for Human Development and director of the Harding Center for Risk Literacy both in Berlin.

David Ropeik is a consultant in Risk Perception, Risk Communication, and Risk Management; an Instructor at Harvard; Author of several books including: "How Risky Is It, Really? Why Our Fears Don't Always Match the Facts"; blogger at BigThink.com, Psychology Today, Huffington Post; "Risk: Reason and Reality"; former television journalist in Boston and twice winner of the DuPont Columbia Award, often referred to as the Pulitzer Prize of broadcast journalism. He talks about The Risk Perception Gap: Why we sometimes worry more than the evidence warrants or less than the evidence warns, and what we can do to reduce the risk that rises when we get risk wrong.

References & Further Reading

• Ledoux, Joseph (1998), The Emotional Brain: The Mysterious Underpinnings of Emotional Life, Simon & Schuster
• Ledoux, Joseph (2012), "Rethinking the emotional brain". Neuron 73, 653–676
• RiskLiteracy.org, a nonprofit university-based project designed to help increase awareness about risk literacy, (accessed 2002.09)
• Ropeik, David | HuffPost
• Ropeik,David | psychologytoday.com
• Ropeik, David (2010, 1st edition), How Risky Is It, Really?: Why Our Fears Don't Always Match the Facts, McGraw Hill
• Tversky, Amos; Kahneman, Daniel (Sep. 27, 1974), "Judgment under Uncertainty: Heuristics and Biases" Science, New Series, Vol. 185, No. 4157, pp. 1124-1131