Nasim Taleb in his book The Black Swan provides the following examples of Mirage Casino’s four largest losses:
- $100 million from a tiger mauling
- Unsuccessful attempt to dynamite casino
- Neglect in completing tax returns
- Ransom demand for owner’s kidnapped daughter
How many of these losses could’ve been identified and managed appropriately?
John Adams in his research Risk, Freedom and Responsibility suggests that “Risk management is not rocket science – it’s much more complicated.” He further elaborates on this point in his research: “The risk manager must […] deal not only with risk perceived through science, but also with virtual risk – risks where the science is inconclusive and people are thus liberated to argue from, and act upon, pre-established beliefs, convictions, prejudices and superstitions.”
According to Adams, there are three types of risk:
- Directly perceptible risks are dealt with using a proper judgment. “One does not undertake a formal, probabilistic, risk assessment before crossing the road.”
- Risks perceived through science are subject to formal risk managementprocess. “Here one finds not only biological scientists in lab coats peering through microscopes, but physicists, chemists, engineers, doctors, statisticians, actuaries, epidemiologists and numerous other categories of scientist who have helped us to see risks that are invisible to the naked eye. Collectively they have improved enormously our ability to manage risk – as evidenced by the huge increase in average life spans that has coincided with the rise of science and technology.”
- Virtual risk is not perceived through science, hence people are forced to act based on their convictions and beliefs.“Such risks may or may not be real, but they have real consequences. In the presence of virtual risk what we believe depends on whom we believe, and whom we believe depends on whom we trust.”
Klein in his Streetlights and shadows: searching for the keys to adaptive decision making suggests the following issues with risk management:
- It works best in well-ordered situations
- Fear of speaking out may result in poor risk identification
- Organisations should understand that plans do not guarantee success and may result in a false sense of safety
- Risk Management plans may actually increase risk.
Klein also identifies three risk decision making approaches:
- Prioritise and reduce
- Calculate and decide
- Anticipate and adapt
To illustrate individual’s decision-making process while dealing with risk, Adams introduces another concept called “Risk thermostat”
The main idea behind it is that people vary in their propensity to take risks which is influenced by the perception of risk, experience of losses, and potential rewards.
People tend to overestimate spectacular but rare risks, but downplay common risks. Also, personified risks are perceived to be greater than anonymous risks.
The protection measures also can be introduced to only increase perceived security, rather than implement actual mechanisms. A possible example might be using National Guard in airports after 9/11 to provide re-assurance. However, such a security theatre has other applications in relation to motivation, deception and economics.
Finally, Adams discusses the phenomenon of risk compensation and appropriate adjustments which take place in the risk thermostat. He argues that introducing safety measures changes behavior: for example, seat belts can save a life in a crash, so people buckle up and take more risks when driving, leading to an increased number of accidents. As a result, the overall number of deaths remains unchanged.
Cyber Security Leadership 