There is this belief in our industry that humans are fundamentally dumb about risk.

As the argument goes, we spend too much time on dangers that are unfamiliar or immediate, while neglecting the ones that are more ordinary or happen in a gradual way.

[Thread]

A common argument is that far more lives in the US are claimed by ladders, swimming pools, or OTC pain meds, than by school shootings / plane hijackings / <insert your cause du jour>.

Therefore, say the critics, our disproportionate focus on the latter is objectively wrong.

I would advocate for a different take: familiar and long-standing risks more often than not represent a long-standing societal consensus on the acceptable trade-offs - and there is little to be gained by having people agonize over that every day.

On the flip side, sudden and unfamiliar dangers often warrant an immediate and forceful response, long before a societal consensus emerges. A tiger in your cave just needs to go, before we can form a Committee on the Problem of Tigers in Caves.

From that perspective, I think the risk perception bias is not a cognitive error, but a pretty clever (if imperfect) heuristic that helped our ancestors reduce the cognitive burden of staying alive - and is probably paying some dividends today.

If one wants the TSA to be defunded or school shootings to be tolerated because "ladders are worse", that's just not a solid argument for folks who do not already subscribe to the cause.

To win arguments, in Infosec and elsewhere, gotta do better than "you suck at risk".