Throughout human evolution, fear has been crucial to survival. The brain is made to fear uncertainty.1 When experiencing fear, the amygdala in the brain actively works against the ability to rationalize. Therefore, when reacting to fear, humans think quickly instead of slowly,2 which leads to bias in the decisions made. People may believe that they are making rational decisions, but if they are acting out of fear, they most likely are not.
By acknowledging the complexities of security and cooperating with the element of fear, enterprises are empowered to focus on their most critical sources of risk.
Humans’ cognitive evolution, including the ability to imagine fiction,3 has improved the ability to consider risk. Being risk-aware, while developing knowledge, actions and inventions that decrease risk, leads to fewer injuries and deaths. However, humans are shaped by their histories to act on risk that is simple and within sight. The human brain is wired to perceive straightforward risk, which is beneficial early in life. As humans grow, this can become a habit.
Unfortunately, for some enterprises, security becomes an out-of-sight, out-of-mind domain, which often exposes the enterprise to the effects of fear. This can result in exaggerated control of less important sources of security risk, leaving more important ones neglected. By acknowledging the complexities of security and cooperating with the element of fear, enterprises are empowered to focus on their most critical sources of risk.
Determining the Real Danger
Even though risk for humans has changed significantly over thousands of years, fear has always been present. Fear is subjective and sometimes irrational, so how does one determine what to fear?
Cardiovascular diseases were the biggest killers in the world in 2019, causing a staggering 18.56 million deaths.4 But cardiovascular diseases generally are not a predominant fear in daily life.
This is because they are a complex and not a highly visible source of risk. Cardiovascular diseases are typically caused by unhealthy lifestyles, characterized by a nutrient-poor diet, physical inactivity, and tobacco and alcohol use.5 In the minds of many, mitigating actions such as a healthy diet and exercise are not directly correlated to preventing disease. Because diseases may develop over a long period of time and are not immediately obvious, the risk is not as evident until it comes to fruition.
The ability to deal with complex, niche sources of risk such as cardiovascular disease requires slow thinking, which can be challenging to master. For this reason, humans often simplify complex risk to process it faster, especially if they are not trained in how to think slowly.
Fear in risk management can have significant consequences, such as exaggerated security controls being imposed and more serious sources of risk being neglected if attention is not directed to the right areas.
The connections in the brain’s neural network become stronger with repetition.6 So, the training of slow-thinking capabilities is crucial because it plays a key role in the ability to piece together information and draw thoughtful conclusions.
When humans are exposed to stories about someone getting injured due to not wearing a bike helmet, they are reminded that not wearing a bike helmet leads to injuries. The neural connections in the brain supporting that narrative are strengthened, while other aspects are not. The perceived impact is dominant for human understanding of risk at this stage, and if there is an easy method of mitigation, it is preferable and less stressful. Therefore, the message is to wear a bike helmet to be safe when riding a bike.
This is one of the reasons there is a continued struggle to contend with climate change. Climate change is a complex problem with many aspects, uncertainties and ramifications. It is an out-of-sight, out-of-mind risk for most humans because they do not yet suffer from its direct impact.
The Impact of Fear on Security
So, why are these considerations important to the information security domain?
Fear in risk management can have significant consequences, such as exaggerated security controls being imposed and more serious sources of risk being neglected if attention is not directed to the right areas.
One of the most notable public catastrophes due to neglecting risk in modern times is the meltdown of the Chernobyl nuclear power plant.7 The plant’s operational procedures failed to account for the human factor,8 having designs in place that outstripped the ability of the operators to use it safely because they did not correctly understand the risk and risk indicators.
Security professionals working with risk management should acknowledge the impact of fear and establish methods to prevent irrational thinking and decision-making. Less visible sources of risk should be made evident and understandable for all stakeholders in partnership with the enterprise. To do this, requires three important steps:
- Choosing the right security framework
- Aligning with the vision and mission
- Applying slow thinking
Choosing the Right Framework
Context is essential for understanding the value of content. The right operational security framework provides value by making security transparent and accessible. By studying reputable security frameworks, enterprises can select the one that is most suitable for their needs. A framework should be selected based on several criteria:
- Internal communication and adaptation—It should be easy for nonsecurity employees to access, read and understand the content of the chosen framework. Relevant information must be easy to find and preferably be integrated into existing communication platforms. Stakeholders should consider how much information is made inaccessible because of additional hoops the receiver must jump through before accessing what is relevant to them. If this is not achievable, more customized communication to the most important stakeholders should be prioritized.
- Integration of the existing governance model—The organization’s current governance methods should be reflected in the newly adopted framework. Changing culture can be difficult for employees, so finding a framework that supports the existing model makes the transition much easier.
- External stakeholders—Enterprises should choose a framework that meets the expectations of external stakeholders. Whether customers, supervisory authorities or others, external stakeholders have a significant impact on security. Organizations should familiarize themselves with those expectations and their possible impact and take them into consideration when selecting a framework.
Choosing the right framework increases the likelihood of those involved in risk management trusting new procedures and, therefore, engaging actively with the process. When this is achieved, the output is less irrational and biased by personal opinions, ensuring that fear has less of an effect on operations.
Aligning With Vision and Mission
Context is everything. Vision and mission are rooted deep within an organization and can lend themselves to understanding the challenges an enterprise experiences.
When assessing risk, an understanding of why it is important to assess the risk is crucial. Consider this example: Parents are debating whether it is necessary for their child to wear a helmet when riding a bike. Parent A believes that the child rides the bike to go from A to B, so riding the bike is solely perceived as a means of transportation. Parent B believes that the child riding the bike is an important form of social interaction with other kids. Riding the bike is about being with others and belonging to a group.
Parent A considers the distance and route traveled, the speed of the bike and the child’s riding experience compared to the risk of injury. Parent B’s line of thinking consists of Parent A’s considerations combined with aspects of the other kids’ behavior, the child’s social status in the group, whether the design of the helmet is sufficient in the eyes of the other kids, and the other kids’ parents’ views on wearing a helmet. Parent B compares these qualities against the risk of injuries combined with the danger of feeling like an outsider compared to the rest of the group or even losing certain aspects of identity.
Although the parents agree on the basis of loving their child and wanting to protect them from harm, their differing perspectives involve different considerations with different losses and gains.
Aligning on the why is crucial to establishing a common understanding when assessing risk. This requires an enterprise to be precise when determining the objectives of risk management initiatives, which should be linked to the organization’s vision and mission.
Alignment on the why is typically driven by culture, which, for many organizations, is rarely fully controlled. Identifying and being more explicit about the why increases the likelihood of realizing the preferred outcome.
Putting the enterprise vision and mission first creates a common foundation for a more objective assessment of risk and a minimized impact of fear.
Putting the enterprise vision and mission first creates a common foundation for a more objective assessment of risk and a minimized impact of fear.
Apply Slow Thinking—Fear Thrives in the Opposite
Anyone who has ever tried to force creativity likely agrees that it is close to impossible. Many may reflect on some of the decisions they made in stressful situations and think they were not the best.
Achieving an analytic, creative state of mind requires the brain to be in a relaxed state. When stressed, the mind looks for quick and easy solutions to bring itself out of the uncomfortable state. This phenomenon has the benefit of encouraging swift reaction, but such a reaction is typically less informed than it would be under calm circumstances. When reacting swiftly, the mind’s focus is on only one or two things. Having a holistic perspective slows the decision-making process, which is why being in a stressful, uncomfortable situation is not preferable when one should apply slow thinking.
Practicing procedures is the key to success for professional groups that frequently encounter stressful situations. This is also why procedures are not written in real time during stressful situations, but rather afterward with newfound knowledge, when time and slow thinking are available.
Fear is built into stressful situations, which is disturbing. So, when the mind is in a stressful state, decisions are likely to become irrational and informed by narrowed perspectives.9 The outcome of risk management with a stressful mindset must be considered. It is shortsighted, irrational and not holistic. To avoid this dynamic, practitioners should find appropriate methods—which are impacted by variables such as mood, sleep, food, workload, culture, exercise and skill level—or establish a clear state of mind when conducting risk management activities. This is crucial to limiting the influence of fear that is hardwired into the mind.
Conclusion
In recent years, some have argued that risk management has failed to provide proper value. Arguments such as, “There are too many uncertainties, so why bother?” have been raised. It could be surmised that such suggestions originate from the many failed implementations of risk management that do not limit the influence of fear and create unrealistic expectations.
All living beings engage in risk management. It is wired into biology. What separates humans from other animals is the ability to cooperate with fear rather than be controlled by it.
Endnotes
1 Robinson, B.; “What Brain Science Reveals About Uncertainty and Six Strategies to Cope at Work,” Forbes, 24 August 2022, http://www.forbes.com/sites/bryanrobinson/2022/08/24/what-brain-science-reveals-about-uncertainty-and-6-strategies-to-cope-at-work
2 Kahneman, D.; Thinking, Fast and Slow, Farrar, Straus and Giroux, USA, 2013
3 Martone, R.; “Signs of Modern Human Cognition Were Found in an Indonesian Cave,” Scientific American, 17 April 2020, http://www.scientificamerican.com/article/signs-of-modern-human-cognition-were-found-in-an-indonesian-cave/
4 Our World in Data, “Number of Deaths by Cause,” 2019, http://ourworldindata.org/grapher/annual-number-of-deaths-by-cause
5 Centers for Disease Control and Prevention, “Know Your Risk for Heart Disease,” USA, 21 March 2023, http://www.cdc.gov/heartdisease/risk_factors.htm
6 Schmelzer, G.; “Understanding Learning and Memory: The Neuroscience of Repetition,” January 2015, http://gretchenschmelzer.com/blog-1/2015/1/11/understanding-learning-and-memory-the-neuroscience-of-repetition
7 World Nuclear Association, “Chernobyl Accident 1986,” April 2022, http://world-nuclear.org/information-library/safety-and-security/safety-of-plants/chernobyl-accident.aspx
8 Vicente, K.; The Human Factor, Routledge, USA, 2006
9 Sharot, T.; “Why Stressed Minds Are More Decisive,” BBC, 15 June 2018, http://www.bbc.com/future/article/20180613-why-stressed-minds-are-better-at-processing-things
JACOB ZWICKI | CISM, CISSP
Is the chief information security officer for group.ONE, a multibranded web hosting company. His interest lies in the intricate relationship between technology and humanity and how they influence each other. His focus is on the psychological and social impact of technology, exploring how it shapes communication, decision-making and overall well-being.