Don’t confuse the frequency of an incident with the ease you remember it

Imagine that there have been a few robberies in two parks of your town that have got all the attention for days. This afternoon you would like to go running around the park next to your home, so these incidents will quickly come to your mind, and this fact will make you think about the probability of being a victim of a robbery (or something worse) in that park. Your mind will make the following association:

Park = Danger!!!

The images you have watched on the TV and the Internet will make you overestimate the probability that you may be the next victim in any other park from a different town. As a consequence, you could avoid going running around the park near your home (or any other park) until the media echo ends. Only when you stop thinking “Park = Danger!!”, you will frequent parks again.

It is clearly an irrational behavior. In fact, your mind is using the following heuristic: if examples of something come easily to my mind, then that “something” must be common. This way, considering that when I think of “park” violent images come to my mind, then the probability of suffering a violent attack must be high. After all, who checks official statistics on muggings in parks? If two different persons have been assaulted in parks, this means that parks are danger places, no matter what statistics show, right?

Well, that’s not right. Psychologists name this sense error availability bias: the easier to remember an event is, the more probable we think it is.

We tend to overestimate the frequency of sensationalist causes and underestimate the frequency of mundane causes

Humans are really bad at numbers, let alone at estimating probabilities. Our risk perception seldom matches its reality. We tend to exaggerate spectacular, new, vivid, recent and emotional risks. The final result: we worry about risks that we could ignore without problems and we do not pay enough attention to those risks alerted by evidences.

The following table, adapted by Bruce Scheneier from scientific literature on the subject, summarizes how people perceive risks in general terms:

The availability heuristic explains most of the behaviors listed in the previous table. Similarly, we make decisions (big and small ones) in our everyday life that have direct implications for security:

Do I connect to this public Wi-Fi?
Do I plug my pen drive into the USB port?
Do I send this confidential file as an e-mail attachment?

We estimate risks automatically without paying too much conscious attention: we do not use a calculator or incident frequency rates to determine probabilities, so we let ourselves be guided by this availability heuristic: an incident related to this security challenge comes quickly to my mind? Is it not the case? Then it must be unlikely, so the risk will be low. Is it the case? Then it will be quite likely, so the risk will be high.

The point is: why some events are easier to remember than other ones? The answer to this question will help us make better security decisions and do not be easily influenced by others: sellers, bloggers, press, friends, etc.

Vivid stories are etched on our memory

In particular, researchers from the field have identified a number of factors that make an event be longer etched on our memory than other ones:

Any emotional content makes memories last longer. One of the most powerful emotions in this regard is precisely the fear. You may have noticed it in many sensationalist news and advertisements on cybersecurity.
Concrete words are better remembered than abstractions such as numbers. This is why anecdotes have a higher impact than statistical stories. Even if it pains us to accept it (weren’t we rational animals?), our decisions are more affected by vivid than by pale, abstract or statistical information.
Human faces tend to be easily remembered, at least if they express emotions. For this reason, the most successful advertisements and campaigns’ main characters have their own identity.
Events that have taken place recently are more easily remembered than old events. Memory degrades over time. If you are driving through a road and pass close to an accident you will be very aware of the risks of suffering one, so you will slow down and drive carefully along a few kilometers… until your conversation moves towards a different subject and you forget completely the accident.
Similarly, the newness of an event helps it to be etched on our memory. Everyday events go unnoticed, but extraordinary actions catch our attention.
As all students must know very well, concentration and repetition help with memorization. The more times information is presented, the better such information will be retained. How well publicists know this!

All these are cumulative effects. In summary, and according to the social psychologist Scott Plous: in very general terms: (1) The more available an event is, the more frequent or probable it will seem; (2) the more vivid a piece of information is, the more easily recalled and convincing it will be; and (3) the more salient something is, the more likely it will be to appear casual.

Where do you think we can find stories matching all these requirements? In the media!

If you see it on the news, don’t worry!

As it happens with many other biases and thought shortcuts, the availability heuristic is valid in most of our everyday situations: if many examples of something come to our minds it’s because it has actually happened many times.

I’m sure that men scientists spring to mind easily than women scientists, in the same way that our thoughts go first to U.S. global franchises than to Spanish ones, or to Champions League football players from Spain rather than from Malta. This is because there are many more examples of the first category than of the second. Therefore, the availability heuristic is useful most of the time, since the ease with we remember relevant examples constitutes a good shortcut to estimate their probability or frequency.

Nevertheless, this shortcut is not infallible. Some events may simply be more remarkable than others, so their availability results in a poor indicator of their probability. Negative information reported on the news is to a great extent the responsible for feeding this heuristic. By definition, an event must happen rarely to be reported on the news. In fact, it must be really prominent to catch people’s attention. That way, news report on facts that are statistically irrelevant, so biasing our perception of events’ frequency.

As a result, if people evaluate risk based on the ease with they remember several dangers, they will be worried especially about these dangers reported on the media, rather than about the dangers to which less attention is paid, even if these are the same or more lethal.

This is why we tend to believe that we are more likely to die from an accident than a disease, since the brutal crash of two vehicles on a bridge over a cliff has a higher media coverage than death by asthma, even though 17 more people die from diseases than from accidents. But, of course, we see news of accidents everyday while hear of deaths by asthma if it happens to a friend or a relative.

What’s more, some researchers have asserted that for this heuristic to work the event must not even have occurred actually. It may be pure fiction: we only need to have watched it in a movie or series.

And, of course, audiovisual media are more vivid than written ones, (and they have more human faces!). Over time, we tend to forget where we saw the event ⸺if it was at the cinema, on the news…⸺. The source of information fades out and only the example itself (whether real or fictitious) survives. How reliable the availability of an example is!

According to Daniel Kahneman: the world in our heads is not a precise replica of reality; our expectations about the frequency of events are distorted by the prevalence and emotional intensity of the messages to which we are exposed.

How to survive the availability heuristic in the field of cybersecurity

The first step to fight a bias is to be aware of its existence. If you have reached this point, you may have a clear idea about how our availability heuristic works. Since now, what can you do?

As you already know, under the availability heuristic’s influence, users tend to overestimate the probability of vivid and surprising events and they will focus on easy-to-remember information. As a security manager you may take advantage of this effect by providing the users with simple and easy-to-remember stories instead of quoting statistical information and data: for instance, by sharing with them stories about how data exfiltration of a secret prototype led to an important case of industrial espionage where an unencrypted USB device had been stolen; instead of presenting the evidence that “more than half of employees have reported that they copied confidential information to USB flash drives, although 87% of these companies had policies forbidding this practice”.
Use repetition: the more you repeat a message (when good examples whenever possible) the more easily such examples will spring to users’ minds and, together with them, the message itself.
Take advantage of the media noise caused by security incidents and use them as spreading vectors of your security messages. Keep away from abstractions and impersonal data: anchor your message to the last example about which everybody is talking.
Pay more attention to statistics than to the daily danger. Don’t base your judgements on small samples of representative cases, but on big figures. The fact that something is currently appearing a lot in the media does not mean that it is frequent or highly risked; but just that it is newsworthy, that is to say: it constitutes a good story.
Don’t trust your memory either. Draw upon data before deciding on an event’s frequency or magnitude.
Under this heuristic, we feel more driven to implement security countermeasures after having suffered an incident than before. Check the statistics to understand what real risks we are exposed to. Don’t wait until to be hit to protect yourself. If the risk is high, ignore the media coverage that receives the danger. Protect yourself now!
We remember easily an incident than the lack of incidents. After all, each incident it’s a story itself, while the lack of them doesn’t build such an attractive story. For instance, at the casino music from fruit-machines sounds at full volume when they win a jackpot. However, those that don’t win, do not sound at all. This asymmetry will make you think that jackpot is much more frequent than actually it is. Pay attention not only to what you see, but also to what you don’t see: it is easy to remember a successful virus, but difficult to keep in mind millions of viruses that were not so successful.
Surround yourself with a team having numerous experiences and points of view. The simple fact of diversity will limit the availability heuristic, since your team members will challenge each other naturally.
Use your contact network beyond your organization when making decisions. Allow others to provide you with points of view that simply could not exist within your organization. Among these groups there will be other stories biasing their judgments towards different directions.

Hence, next time you make a decision, pause to ask yourself: “Am I making this decision because a recent event has come to my mind, or am I really considering other factors that I cannot remember so easily?”. The better we understand our personal biases, the better will be the decisions we take.

Gonzalo Álvarez Marañón

@gonalvmar

Innovation and Labs (ElevenPaths)

www.elevenpaths.com

GSMA IoT Security Champion: Award to our IoT Security teamIf you want to change your employees’ security habits, don’t call their will, modify their environment instead