Risky Literacy, and why America fears terrorism more than car accidents

Risky Literacy, and why America fears terrorism more than car accidents

Risks are real but perception can be distorted

Risks are real but the measurement of risk often does not take place when policy is decided or important decisions which effect others are made. Security is about risk management. Whether it's cybersecurity or other forms, all require risk assessments to determine how secure or insecure the organization is. These risk assessments can take the form of a risk matrix and the formula for calculating risk is simple.

While risks are real the perception of risk is what may be vulnerable to social engineering attacks. This has implications for all crypto networks or organizations in general and is commonly referred to as FUD. Risk literacy is the method of immunizing a community against this kind of irrational fear of low risk activities.

What constitutes a risk?

A risk is the amount of harm that can be expected to occur during a given time period due to specific harm event (e.g., an accident). Statistically, the level of risk can be calculated as the product of the probability that harm occurs (e.g., that an accident happens) multiplied by the severity of that harm (i.e., the average amount of harm or more conservatively the maximum credible amount of harm).

How is risk measured?

The formula for calculating risk is risk = probability x consequence or impact.

In order to measure risk we first have to know the probability that a specific event is likely to occur. We can do a basic risk assessment if we know the frequency of a certain event as well as quantify the impact severity. A certain event for example might be very frequent but have a very low impact severity, so even if it is a daily occurence it may not be considered a threat.

In cybersecurity we would create a risk assessment for the company based on what the company determines is vital to it's continued operations, it's success, it's priorities. We can measure impact in a company by financial loss, by opportunity costs, by death and injury, etc. So on a risk assessment matrix which would be presented to the company we could easily show not only the vulnerability assessment (as a result of a penetration test), but we could also show how much different vulnerabilities could cost the company in dollars which would represent to the company it's risks if it does not pay to fix it's vulnerabilities.

By presenting the risks and offering to reduce them a security professional (such as a penetration tester) can make a career. The problem is that in some cases people forget all about risk assessments, statistics, and numbers, when certain kinds of risks are revealed. Particularly if a lot of people die instantly it appears that people see this as more scary than if many more people die over time at a slower rate. If a train or plane crashes then people might not want to fly or might fear flying or getting on trains but if cars crash people do not seem to fear getting in cars.

John Nash the famed mathematician died in a car accident. He did not die in an act of terrorism. He did not die from a plane crash, or train crash. Why is this?

The chances of dying in a terrorist attack are around 1 in 20 million according to life insurance companies. By the numbers you are more likely to be struct by lightening or be killed by your own furniture than be killed by a terrorist. Yet most people are so afraid of being killed by a terrorist that many are willing to back building a great wall out of fear that terrorists might sneak into the United States from Mexico. The truth is that the statistics do not back this scenario so it's not a very high risk threat yet this doesn't stop people from perceiving it as a likely scenario.

Another example of a statistically unlikely scenario include the ticking time bomb scenarios which are used to try justifying torture while the truth is there is no historical evidence to support that torture has been used in these scenarios. If we look at the historical evidence we can find that torture has often been used to force false confessions form innocent individuals.

The ticking time bomb scenario also resembles a final example where the FBI might claim that all devices must have a backdoor because terrorists may be using encryption. While it is true that terrorists may be using encryption, how likely is it right now that anyone is going to die from a terrorist attack? The numbers don't lie but people do. We are more likely to die in car accidents or be struct by lightening than to die in a terrorist attack yet this doesn't stop politicians from pushing the new variation of the ticking time bomb scenario to backdoor all encrypted devices.

And in the FBI Apple backdoor example wouldn't it also open up new risks? If the FBI makes Apple an agent of the FBI by forcing Apple to write software backdoors on it's behalf to break the security of it's software then wouldn't foreign countries all around the world use their versions of the FBI to force backdoors into the products they make for us to buy? While I do not have the data, is it at least possible that it could result in a competition between agencies around the globe to spy on citizens?

And of course each back door which gets made is not likely to be made in a way where only the good guys can get in while the bad guys can't because the software would have no guaranteed way to distinguish between them. Finally, by announcing that there is a movement to put backdoors into trusted devices then couldn't the terrorists decide to simply not use these devices while the rest of us use them? The FBI Apple controversy was a good example of where a terrorist attack case was used to try to create a perceived risk which was not backed up by any statistics or evidence.

How can the crypto community improve risk literacy?

The crypto community should care about security and seek to mitigate risks. As a community we should seek to protect ourselves, our members, because the bottom line is that human beings make up the community and not the rule of the code. There are real risks to us which can negatively effect growth, and there are risks which are unknown, but in cases where we can calculate the risk then we need people in the community willing to calculate the risks.

Some examples of risks to be calculated below

• The risk of government persecution in a particular country or location.
• The economic risks in terms of fines for violations of various laws.
• The risks involved in choosing between greater or lesser centralization.
• The risks involved in using certain practices, processes, libraries, programming languages, or programming styles.

Some of these examples already have data which can be crunched to produce a risk assessment. For example due to the result of TheDAO we now have some data on just how secure or insecure Etherem smart contracts are. We know now by numbers, just how risky centralization is when it comes to exchanges. We know by numbers just how risky certain violations of different laws are, with example cases to cite. And we know by numbers just how risky a few corrupt government agents can be to the ecosystem.

When discussing the risks we have to always remember to follow the numbers rather than fear. If fear looks like it's being followed instead of the numbers then the community statistician should be the voice of reason.

References

1. http://riskmanagement.georgetown.edu/RiskAssessmentMeasures
2. http://www.lifeinsurancequotes.org/additional-resources/deadly-statistics/
3. http://www.wired.com/2014/03/bitcoin-exchange/
4. https://www.theguardian.com/us-news/2016/feb/01/ex-secret-service-agent-shaun-bridges-bitcoin-arrest
5. http://www.forbes.com/sites/francescoppola/2016/06/20/the-dao-hacking-shows-that-coders-are-not-infallible/#3286d6a4125d
6. http://arstechnica.com/tech-policy/2016/07/corrupt-agent-who-investigated-silk-road-is-suspected-of-another-700k-heist/
7. https://en.wikipedia.org/wiki/Risk
8. https://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt