Risk perception and digital security

In 2017, I wrote: “the digital technologies that enable much of what we think of as modern life have introduced new risks into the world and amplified some old ones. Attitudes towards risks arising from our use of both digital and non-digital technologies vary considerably, creating challenges for people who seek to manage risk.” Somewhat inevitably, this even more true today.

In order to better understand this phenomenon and the challenges it presents in my current field of employment (cybersecurity), I made a modest attempt to further our knowledge through research into risk perception in the context of digital technology risks, like the theft of valuable data, unauthorized exposure of sensitive personal information, and unwanted monitoring of private communications.

Working with my colleague, Lysa Myers, with some assistance from Dan Kahan of the Cultural Cognition Project at Yale Law School, I used the Survey Monkey account I had created for my masters degree to field a questionnaire designed to assess perception of risks arising from a variety of technologies, while also mapping responses based on the Cultural Theory of risk perception.

You can read the two-part report on that research here: Adventures in cybersecurity research: Risk, cultural theory, and the white male effect, part one. And here is part two. Below you will find charts of our key findings, as presented by Lysa and I at the 2017 (ISC)2 Security Congress in Austin, Texas. The main points are as follows:

• The security of digital systems (cybersecurity) is undermined by vulnerabilities in products and systems.
• Failure to heed experts is a major source of vulnerability.
• Failure to heed experts is a known problem in technology.
• The cultural theory of risk perception helps explain this problem.
• Cultural theory exposes the tendency of some males to underestimate risk (White Male Effect or WME).
• Researchers have assessed the public’s perceptions of a range of technology risks (digital and non-digital).
• Their findings provide the first ever assessment of WME in the digital or cyber-realm.
• Additional findings indicate that cyber-related risks are now firmly embedded in public consciousness.
• Practical benefits from the research include pointers to improved risk communication strategies and a novel take on the need for greater diversity in technology leadership roles.

Charts

To gauge risk perceptions we used the “Industrial Strength Risk Perception Measure” (ISRPM). This uses a series of questions framed as “How much risk do you believe X poses to human health, safety, or prosperity?” where X includes older technologies like X-rays and nuclear power alongside “digital risks” like government data monitoring and the accumulation of Personally Identifiable Information (PII) by organizations. In this chart, The responses are ordered from low risk to high according to the white male responses.

The yellow highlighting picks out the “digital risks.” As you can see, white males see less risk from technology pretty much across the board, with the notable exception of government data monitoring which seems to bother non-white males even less than white males. Indeed, for digital risks we saw more of a male effect than a white male effect, as you can see in this chart.

To obtain a cultural theory perspective on risks we used the “Cultural Cognition Worldview Scales”. In studies by Kahan and others these scales have revealed a strong hierarchical-individualist cultural orientation among those who tend to see less risk in global warming. This is shown here on the left, compared with low risk in criminal hacking, which strongly correlates to an individualist perspective, but is not strongly hierarchical.

When it comes to high risk, both global warming and criminal hacking registered more strongly on the egalitarian side, but with criminal hacking looking like a concern among a significant percentage of hierarchically -oriented respondents — noticeably more so than global warming.

Hopefully people will find this research helpful and it will inspire further studies. Again, you can read the two-part report in: Adventures in cybersecurity research: Risk, cultural theory, and the white male effect, part one and part two.

Notes

For more about cultural cognition, the field of study into which this research most readily falls, check out Dan Kahan’s great work at the Cultural Cognition Project at Yale Law School. (With thanks to Dan for his assistance on our project, and ESET for funding the survey and our time to work on this research.)