DamnInteresting has an article today about The Balance of Risk which is, pardon the pun, damn interesting.

Let’s suppose your child wants to take a martial arts class. Being a conscientious parent, you check out the local dojos and find two good places. Both are suitable and well equipped. Both practice fighting with contact – but there’s one major difference. One dojo insists on a full range of protective padding – hands, feet, chest protectors, shin guards – the whole works. The other takes a much lighter approach - hands and feet, and sometimes not even those.

To the conscientious parent, the first place is going to look much safer, right? But when you look at the injury rates of the two dojos, you notice something odd: They’re about the same. The kids covered in foam padding are getting just as many bruises, scrapes, and sprains as the kids wearing almost none. What could be going on here?

What’s happening is a process known as risk compensation. It’s a tendency in humans to increase risky behavior proportionately as safeguards are introduced, and it’s very common. So common, in fact, as to render predictions of how well any given piece of safety equipment will work almost useless.

Their key points:
1) People have a risk “comfort” zone
2) People will adjust the amount of risk they perceive themselves as accepting both down and up to get within that risk comfort zone. This is called Risk Homeostasis
3) People only adjust their risk level if it gives some advantage
4) People adjust to their perceived risk level, not the actual risk level

I look at this and ask myself, How can I use this to my advantage?

What I want to do is reduce risk by getting certain people to lower their risk appetite. If I add controls but don’t tell them, then they will not compensate their behavior upwards. If I tell them I’m adding controls, but then I don’t, then they will adjust their risk appetite accordingly as well.

Going back to the article:

For instance, a study of Munich taxicab drivers conducted while the taxicab fleet was being changed over to ABS braking systems. The drivers were tracked by observers unaware of which kind of brakes each cab had. Against the expectations of safety experts who recommend ABS brakes as a safety advance, the drivers with ABS brakes actually had more accidents per vehicle mile than those without. The drivers braked more sharply, made tighter turns, drove at higher speeds, and made a number of other adjustments to their driving, all of which more than compensated for their supposedly safer cabs.

So if I implement a safeguard which only mitigates the risk at certain times or under certain conditions, people will still adjust their perceived risk level based on the safeguard being present all the time.

I don’t have solid data handy, but this would seem to be consistent with what I see with our efforts at protecting mobile users (laptops) from themselves. We do an excellent job of protecting people from viruses, worms, spyware, and other forms of malware so long as they’re on the corporate network and protected by our perimeter controls.

Once they get out in the world, however, most of our safeguards go away, but users still assume that they’re “protected.” The high rate of malware detection in the morning of a given region, with the peak on Monday morning, would seem consistent with this behavior.

So, again, I ask myself, How can I use this to my advantage?

I can see two ways. The first is to view security as an enabler. If the business can take more risks with a decrease (or less than a corresponding increase) in incidents, then I have effectively added value. How much will vary from project to project, but overall, the key is that people are able to do things that were previously “too risky.”

The other way is to find ways to change perception without actually doing anything. This is similar to the old time-motion and productivity studies which found that any change which convinces people they are being measured would increase their productivity. If it is true that any change in perceived safeguards will affect actual risk appetite accordingly, then I should ask myself, What can I do or tell people that will make them take fewer unnecessary risks but doesn’t actually require any more budget than the cost of communicating? I’ll call it Social Engineering For Good.

(Note that there is significant credibility risk in bluffing, usually far out of line with any possible benefit)

So can I have it both ways? Can I provide safeguards and not have users increase their risk acceptance accordingly? Maybe the answer is that I can’t, assuming this truly is human nature. But I can consider the behavioral impacts on actual risk mitigated when adding part-time or limited-case protections, and knowing is half the battle

Delightful.

You see social engineering efforts along these line at all scales. Attempts to increase or decrease risk taking at the macro economic level for example v.s. attempts to get teenagers to adjust their risk taking.

It’s another example of situation where a middleman can help. The middleman can sell the insurance to one actor (reducing the risk) but keep it’s existance hidden from another actor (avoiding the behavior change). I’m reminded of that in part because of your earlier posting about Ebay getting tricked into revealing a buyer’s nominally hidden price to sellers via second chance.

[…] Another fun item from Charlie Howe’s blog about how people manage the risks in their life. People try to get what they percieve to be the right amount of risk into their lives, but they do this on really really lousy data. So there are all kinds of breakdowns. […]