Perceived Vulnerability Paradox: Did COVID-19 actually change the way we think about cybersecurity?

All my social media accounts have exploded. It seems like people are engaged in endless fights. About half of news items and posts I see talk about the future apocalypse due to COVID-19, how our lives will never be the same again, and how we will all "die horribly". At the same time, the other half of posts and news items causally laugh at the current situation, saying that the propensity to contract coronavirus is "lower than getting into a car accident" and sarcastically suggesting that people are being "irrational" fighting over bottles of hand sanitiser and rolls of toilet paper. I even saw the phrase "Coronavirus Era" in the media... I have previously discussed how cybercriminals use COVID-19 as an attention grabber to deploy sophisticated as well as simple social engineering campaigns. Yet, in the light of claims that COVID-19 somehow will reshape cybersecurity for good, I feel that (despite all the hysteria and fatigue associated with coronavirus) it is important to address this issue. So, did COVID-19 actually change or will it change the way we think about cybersecurity?

What is the main behavioural issue when uncertainty is high?

There are many attempts to analyse human behaviour at times of the crisis (especially the crisis related to a lot of uncertainty, which we are experiencing today), but what surprises me about the current situation is the multiplicity of voices naming rather strange reasons as explanations of human behaviour. For example, check out this recent opinion piece from the CNN, listing all sorts of reasons why people may want to panic buy masks, toilet paper and hand sanitiser from bandwagoning effect to illusion of control. It may well be that these reasons do play a role, but they are definitely not the main reasons. There is a much more fundamental issue at play here, which is deeper than any heuristics or bias.

The key to the observed behaviour is the fact that, as humans, we do not understand probability (or chance). Quite some time ago (way back in 1979 believe it or not) psychologists Daniel Kahneman and Amos Tversky proposed that people make serious mistakes when they think about probabilities. Particularly, they maintained that, generally, people tend to underestimate large probabilities and overestimate small probabilities. In other words, as humans, when we think about probabilities, we never take the probability at its face value. Instead, we distort it and, in our mind, we have our own understanding of it. These distortions do not go away when we think about our health. As of today, 121,175 people around the globe have contracted COVID-19, of which 49,894 are currently infected and 71,281 are closed cases. And among those 71,281 closed cases 4,377 are fatalities. Now, considering these numbers, if contracted, the probability of death of COVID-19 is 6%.

Yet, the actual probability of contracting the virus depends on a lot of different factors, including where you live, density of population, sanitary conditions, etc., etc. And, clearly, the probability of dying depends on many factors as well. But the problem is that the majority of people do not think about all these factors. Furthermore, they do not even take 6% and overweigh it, they consider compound probabilities and exaggerate these compound probabilities at several stages such that they get a really hyper-inflated individual numbers (as "perceived" probabilities) in their heads.

How does it work?

So, here is an overly simplified picture of what is going on. You can think of a "risk" as a probability or chance of something bad happening (in principle, for the sake of this argument, let's just say something bad happening to the entire planet). Then you can think of "regional vulnerability" as a probability of something bad happening close to you. Finally, you can think of "individual vulnerability" as a probability of something bad happening to you personally. Now, you have 3 numbers "risk", "regional vulnerability" and "individual vulnerability". All of these numbers represent some probability or chance and even if each number is small, you will overweigh each number at each stage of your consideration. So, instead of thinking in terms of conditional probabilities, you will have a hyper-inflated number in your head. And this is what we observe right now: even if the actual probability of getting sick for you individually might be 1 chance in 10 million, you may think that it is close to 100% and then the probability of death is also hyper-inflated.

Are people really irrational?

Considering this, does it mean that people are irrational? Of course not, they simply exhibit the Perceived Vulnerability Paradox - i.e., they hyper-inflate probability numbers in their heads when the probability of something bad happening to them personally, conditional on the probability of something bad happening (a) in principle and (b) to others, is small. This means that people do behave rationally. It is just that they are rational according to these distorted "subjective" probabilities. Obviously, if people's perceptions of probabilities are this bad, there is no point in trying to reason with crowds storming toilet paper sections of the supermarket or fighting for the last bottle of hand sanitiser (in their own understanding, these people are "saving their lives").

There is nothing new about such behaviour. It has always existed throughout the history and it will exist as long as humanity exists. And there is really nothing different about the current situation. So, people who are wearing masks despite the fact that every decent scientist tells them that it is useless as a protective measure against COVID-19 are not that different from businesses who spend millions on certain cyber security solutions, which ultimately make no difference whatsoever.

Of course, our misinterpretation of probabilities is contaminated by many other behavioural regularities and habits, of which two are particularly worth mentioning when we are talking about similarities of our perceptions and behaviour with regard to health and security. First, as humans, we really fall for the visible displays of security. A mask is not just a mask to us - it is a visible demonstrator of security; much like security perimeter or multi-stage authentication are visible demonstrators of security in cyber space. There is a big question about whether and to what extent these measures are effective: a virus can get through your mask much like well-trained cybercriminal can get through your multi-stage authentication system. But we feel more secure when security measures are salient. Second, notice that in both cases - COVID response and cybersecurity response we tend to think about how to prevent exposure (i.e., how not to get sick or how not to become a victim of a cyberattack) instead of concentrating on our resilience, making sure that we can handle the crisis and put all systems back on track quickly, should it occur.

Take Aways

So, does COVID-19 change our perceptions of cybersecurity? It does not appear so. In both domains, we continue to exhibit our inability to process, understand and change the odds we are facing. Yet, my hope is that the current crisis will teach us how to make our supply chains more resilient so that we are able to better cope with uncertainties of the future. In conclusion, I would ask you to try to "keep calm and carry on", but I know that you will behave according to what your personal probability barometer tells you. Therefore, I will just ask you to try to be considerate of others in these difficult times. No matter how much you think you need that hand sanitiser, it will be pretty useless to you if you are the last person on the planet... One thing I know for sure, I really do not want the rest of my life to be labelled as "Coronavirus Era" - I hope it will be an Era of more weighted and collaborative thinking about global challenges.

#creativity #cybercrime #cyberrisks #cyberthreats #datasecurity #cyberattack #hacking #risk #infosec #security #ransomware #phishing #dataprotection #informationsecurity #COVID #resilience #robustness