Research

Hacking, Rationality, and the Fear of the Unknown

Written by Reflare Research Team | Jan 19, 2017 12:50:00 PM

Rationality in the face of threats, from germs to crime, has been studied before in many different settings. There is, however, a category of threats that haven’t been covered as extensively, and that is cyber security.

First Published 19th January 2017

Just cause you feel it doesn't mean it's there.

4 min read  |  Reflare Research Team

Since the buzz around alleged electoral hacking has quieted down somewhat, we will not touch on it this week. Lacking the publishing of new proof, we believe our previous assessments of the situation to remain accurate. Instead, we will take this opportunity to analyze why cyber security threats tend to make people more uneasy and afraid than comparable non-digital threats. To do so, we will take the unconventional approach of assessing hacks through the lens of ‘the individual’, comparing the rationality (or in some cases, lack thereof) of a cyber attack with other types of attacks. Attacks will often trigger larger-than-appropriate fear reactions for fairly similar reasons. Humans tend to have a fear reaction based on 4 factors:

  • The severity of the damage if the malicious event should come true

  • The likelihood of the malicious event coming true

  • How well do they understand the malicious event

  • How controllable the malicious event is

It is easy to see that all of these factors are linked. A malicious event that is better understood is more likely to have its likelihood and severity assessed accurately and can be more easily controlled along its know parameters. Equally, extremely severe events tend to be estimated to be much too likely or much too unlikely. None of these parameters are objective, but instead are subjective to the individual evaluating the risk.

The (ir)rational mind

For example, being attacked by a shark is an incredibly unlikely event for most people. However, since the event is severe, most people have no understanding of sharks and a wild creature is not controllable from an average perspective, many people are worried about shark attacks. At the same time, death from heart disease is one of the leading causes of death in the modern world and thus has a very high likelihood and severity.

However, the problem seems to be easy to understand and well controllable (I’ll do more sports and eat better). We end up with a situation where tens of thousands more people are killed by heart attacks than by shark attacks, but sharks are more feared.

This is not trying to make a moral statement about what “should” be feared more. It is merely important to understand how humans process fear of attack to then understand why some attacks are more feared than others. Now, let’s look at a hacking attack compared to something a bit more abstract, like exposure to radiation. Both are potentially fatal (exposure to extremely high radiation, hacking of a pacemaker) but relatively harmless on average (background radiation, having a single credit card stolen and defrauded for $50). The severity of both is inversely proportional to their likelihood (servers are attacked every day and the body is always exposed to low-level background radiation but life-threatening cyber attacks and radiation levels are rare).

The average person understands virtually nothing about radiation and hacking. Neither radiation nor hacking seems controllable to most; Both are invisible, and damage may only become apparent long after the event has taken place. In summary, both radiation and hacking have similarly extensive potential to make people afraid. Their severities and likelihoods are variable and thus hard to gauge while the events themselves are almost impossible to understand and control for the average person. This means that the risks involved with both are often over-estimated by the general population.

Although experts in the respective fields may correctly point out that a specific event is not as damaging as publicly believed, there is no way for the average person to tell the difference between a legitimate expert and a special interest agent. Quite to the opposite, special interest agents – those trying to influence public opinion to further the interests of their group - often use this confusion to pose as or discredit existing experts. As information technology continues to proliferate, the underlying parameters are bound to change.

The average person in the late 1800s was deathly afraid of travelling faster than 50kph (the exact number quoted varies) but such fears subsided as trains, cars and planes entered mainstream use. We expect a similar effect as people get more acquainted with IT and cyber attacks. In the meantime, it remains virtually impossible for the average person to accurately assess the risks of cyber attacks.

With reporters and government officials having similar levels of understanding and sensationalism having many uses, we therefore predict the public perception of the risks, and therefore, the fear of hacking, to be more and more exaggerated as the full potential of cyber attacks is slowly experimented with by governments, militaries and rogue agents. While the assessment of each attack is a complex task, it is reasonable to work with the guideline that - on average - any given cyber attack is less risky than perceived.