Sunday, January 23, 2011

Peter Sandman and risk communication

Many of us in the infosec profession struggle with communicating risk.  Not only do we need to communicate it upstream to the decision makers, but we also must spread it wide and downstream to the every day folks so they can do their jobs.  

In my work in disaster preparedness, I stumbled across the work of Peter Sandman.  I've read most of his articles on risk communication. I really found a lot of useful wisdom in his advice on how talk about scary potential future events.  Although his specialty is disasters such as pandemics and major industrial accidents, his breakdowns of the psychology behind risk communication is sound.  And in many cases, an infosec practitioner must also deal with business continuity, so it can be directly useful.

One component of his advice I find most interesting is his breakdown of Risk = Hazard + Outrage.   He says,

In the mid-1980s I coined the formula “Risk = Hazard + Outrage” to reflect a growing body of research indicating that people assess risks according to metrics other than their technical seriousness: that factors such as trust, control, voluntariness, dread, and familiarity (now widely called “the outrage factors”) are as important as mortality or morbidity in what we mean by risk.

With this, he describes outrage management, which for us, is about how we handle incidents.  Not the technical pieces of incident response, but how we communicate the incident to all the stakeholders (executives, customers, auditors), with the ultimate goal of minimizing the reputation damage.   I see similar factors at play in communicating a massive oil spill and handling a public disclosure of a severe vulnerability in your product.

Many interesting lessons on his site and worth spending some time seeing what might prove useful for you.


David Ropeik said...

hi. I have a google search alert for 'risk communication' and came across your post. I am a fan and student of Peter's. I also teach and write about risk communication, and advocate a similar but somewhat unique approach, based on a richer understanding of the psychology behind people's perceptions. That psychology has been studied in depth and really helps with the challenge of communicating risk, which is why I wrote the book "How Risky Is It, Really? Why Our Fears Don't Always Match the Facts". Your post suggests you and your readers and field might find it useful.

Stealthy Dachshund said...

He's a brilliant communicator.

I use his graph (outrage and hazard on the axes) when explaining to my executive why we need to communicate in a particular way.

I've done a lot of comms for emergency planners for oil and gas work (low hazard, high outrage) and his lessons have been a godsend.