People have evolved over millions of years to be…really bad at some things. Understanding scale and the related concept of estimating turns out to be one of those things, and (when people try it) clearly an area Where Math Breaks. In fact there are entire fields of study built around the systematic failure of people to conform to the mathematical expectations of their behavior. People have issues in terms of perception, biases, and cognition that produce repeatable, measurable errors.
Take physical scale, for example. People tend to be reasonable at estimating scale within a few orders of magnitude of our own size…how much bigger an elephant is, or how much smaller an insect…than estimating the same orders of magnitude at different scales. If you want to know how much bigger a bacterium is than a virus, or the diameter of the solar system compared to the size of the sun, check out this fantastic little tool that covers 62 orders of magnitude (from quantum foam to the observable universe and beyond) with a single slider-controlled graphic.
Similarly with area and volume. Research shows that on a linear scale (color, position on a line, sound pitch) we can perceive between 4 and 8 distinct positions (2 and 3 bits of information)…think do-re-mi or crayola. In two dimensions that should give us 64 positions to choose from, when the measured capability is more like 16. And in three dimensions…well, you guess how many jellybeans are in there.
Then there are the cognitive biases, with names like the Halo Effect, Fading Affect Bias, and the IKEA effect (really…who would make up such a thing). Understanding these biases won a Nobel Prize in 2002 for Daniel Kahneman in honor of work he did with Amos Tversky over many years.
Which brings us to the real point of the discussion and why it relates to cybersecurity. People are really bad at perceiving risk. The graphic shows perceived and actual risk for a variety of hazards, with each hazard shown as a separate color…public outrage is very high for terrorist attacks, while the actual risk is very small, and traffic accidents are the opposite. For hazards related to cybersecurity, the fact that relatively few people have experienced it (even if they are victims), the difficulty in understanding the losses incurred, and many similar factors seem to lead
us to dramatically underestimate the direct risk of cyber attacks. Worse yet, the theory of risk compensation implies that we change behavior in the face of perceived risk, engaging in riskier behavior when we feel more protected (a la Booth’s Rule #2, “the safer skydiving gear becomes, the more chances skydivers will take, in order to keep the fatality rate constant”). So, one possible way to improve cybersecurity is simply escalate people’s perception of their own personal risk. Scale and estimation are certainly places Where Math Breaks, but perhaps we can use that breakage to our mutual advantage.