Should we blame Darwin’s evolution?

Any serious discussion of risk must scrutinize its three building blocks: threat, likelihood and impact. The first two grab central stage in the discussion as they are considered elusive: we can’t see the attacker lurking in the shades and we find it hard to predict when he would attack. However impact seems to be well understood and the most predictable of the three: money may be stolen, customer faith may be lost or a person identity may be hijacked.  After all it is about us, rather than the shadowy bad guys.

However, while we all chant the potential breach impact in a well-rehearsed manner, it is doubtful that we, as individuals or as a society, evaluate breach impact to its full extent. Just consider how averse people are to physical break-in (or even a mouse in the wrong place), while tolerating computer based penetration, becoming part of a botnet or having malware on their on their web site.

One would argue that the impact of cybercrime is lower. While it is certainly true at times, I am not sure this is generally the case. A stranger in full control of your computer can and does inflict much more damage than your average burglar. Knowing everything about a victim and being able to impersonate him opens up opportunities for infinite abuse scenarios with potentially grieve consequences. And just in case you thought this is all theoretical browse the Web Hacking Incidents Database for many anecdotal stories.

The main difference between day to day burglary and cyber burglary is that the former is physical, which may be a clue to the reason we fear it more. Many modern phenomena from Christmas shopping to Junk food craving are attributed to human progress moving faster than evolution, leaving us with prehistoric human instincts. While this sounds like common sense (at least once you accept Darwinian evolution as common sense) a lot of evolutionary psychology research is done to validate this notion.  A research by New et al from the center of evolutionary psychology at the University of California Santa Barbara shows that we are much better tuned to be alerted by humans and animals. The study shows that people are less sensitive to cars than to animals even though the former pose more significant danger to us.

I suspect that virtual attackers will always be even less of a concern to us than humans, let alone mice, regardless of the actual risk they pose. On one hand, correctt: our alertness and presumably more fear of a physical encounter implies that the potential impact of a physical burglary more significant to us. However, this subjective evaluation may skew our perception when organization or society wide issues are at hand. For example, most people are more worried of a terrorist attack than of a cyber-attack while in most circumstances the latter is more probable and will have a worse impact than the former. Why? While both can lead to it, a terrorist attack is more immediately linked with pain and blood.

What can we do? As in most other cases in which our common sense may lead us to the wrong results, only a quantitative scientific risk management process can help to reduce the this instinctive perception bias.