Well, that’s not right. Psychologists name this sense error availability bias: the easier to remember an event is, the more probable we think it is.
The following table, adapted by Bruce Scheneier from scientific literature on the subject, summarizes how people perceive risks in general terms:
- Do I connect to this public Wi-Fi?
- Do I plug my pen drive into the USB port?
- Do I send this confidential file as an e-mail attachment?
- Any emotional content makes memories last longer. One of the most powerful emotions in this regard is precisely the fear. You may have noticed it in many sensationalist news and advertisements on cybersecurity.
- Concrete words are better remembered than abstractions such as numbers. This is why anecdotes have a higher impact than statistical stories. Even if it pains us to accept it (weren’t we rational animals?), our decisions are more affected by vivid than by pale, abstract or statistical information.
- Human faces tend to be easily remembered, at least if they express emotions. For this reason, the most successful advertisements and campaigns’ main characters have their own identity.
- Events that have taken place recently are more easily remembered than old events. Memory degrades over time. If you are driving through a road and pass close to an accident you will be very aware of the risks of suffering one, so you will slow down and drive carefully along a few kilometers… until your conversation moves towards a different subject and you forget completely the accident.
- Similarly, the newness of an event helps it to be etched on our memory. Everyday events go unnoticed, but extraordinary actions catch our attention.
- As all students must know very well, concentration and repetition help with memorization. The more times information is presented, the better such information will be retained. How well publicists know this!
All these are cumulative effects. In summary, and according to the social psychologist Scott Plous: in very general terms: (1) The more available an event is, the more frequent or probable it will seem; (2) the more vivid a piece of information is, the more easily recalled and convincing it will be; and (3) the more salient something is, the more likely it will be to appear casual.
Where do you think we can find stories matching all these requirements? In the media!
- As you already know, under the availability heuristic’s influence, users tend to overestimate the probability of vivid and surprising events and they will focus on easy-to-remember information. As a security manager you may take advantage of this effect by providing the users with simple and easy-to-remember stories instead of quoting statistical information and data: for instance, by sharing with them stories about how data exfiltration of a secret prototype led to an important case of industrial espionage where an unencrypted USB device had been stolen; instead of presenting the evidence that “more than half of employees have reported that they copied confidential information to USB flash drives, although 87% of these companies had policies forbidding this practice”.
- Use repetition: the more you repeat a message (when good examples whenever possible) the more easily such examples will spring to users’ minds and, together with them, the message itself.
- Take advantage of the media noise caused by security incidents and use them as spreading vectors of your security messages. Keep away from abstractions and impersonal data: anchor your message to the last example about which everybody is talking.
- Pay more attention to statistics than to the daily danger. Don’t base your judgements on small samples of representative cases, but on big figures. The fact that something is currently appearing a lot in the media does not mean that it is frequent or highly risked; but just that it is newsworthy, that is to say: it constitutes a good story.
- Don’t trust your memory either. Draw upon data before deciding on an event’s frequency or magnitude.
- Under this heuristic, we feel more driven to implement security countermeasures after having suffered an incident than before. Check the statistics to understand what real risks we are exposed to. Don’t wait until to be hit to protect yourself. If the risk is high, ignore the media coverage that receives the danger. Protect yourself now!
- We remember easily an incident than the lack of incidents. After all, each incident it’s a story itself, while the lack of them doesn’t build such an attractive story. For instance, at the casino music from fruit-machines sounds at full volume when they win a jackpot. However, those that don’t win, do not sound at all. This asymmetry will make you think that jackpot is much more frequent than actually it is. Pay attention not only to what you see, but also to what you don’t see: it is easy to remember a successful virus, but difficult to keep in mind millions of viruses that were not so successful.
- Surround yourself with a team having numerous experiences and points of view. The simple fact of diversity will limit the availability heuristic, since your team members will challenge each other naturally.
- Use your contact network beyond your organization when making decisions. Allow others to provide you with points of view that simply could not exist within your organization. Among these groups there will be other stories biasing their judgments towards different directions.