The psychologist Gerald Wilde certainly thinks so – and he’s armed with credible examples that back up his claims
Here’s one such example of what psychologist Gerald Wilde calls risk homeostasis.
On Saturday, 2nd September, 1967, the population of Sweden went to sleep as a nation that drove on the left hand side of the road. The next day, following a change to align them with bordering neighbours, they awoke as a nation that drove on the right hand side of the road.
The change was unpopular. 83% of the nation voted against it. As the country awoke on Sunday, onlookers braced themselves for a spate of high speed, head on collisions – which they themselves might very well encounter.
But on that Sunday, accident levels were significantly lower than average. Just a handful of serious accidents were reported.
The days went by and the trend continued. Fatal accidents plummeted and motor insurance claims fell by 40%.
It’s these unexpected results – and a host of others like them – that fuel Gerald Wilde’s controversial theory of risk homeostasis… a theory that has serious ramifications for the world of cyber security.
Risk homeostasis in a nutshell
In a nutshell, risk homeostasis says people are willing to tolerate a certain level of risk, which changes as the benefits (and/or costs) of shouldering (and/or avoiding) risks change.
Driving whilst re-tuning the radio comes with risk, yet most people are willing to do so most of the time. If driving whilst re-tuning the radio was seemingly likely to result in a head-on collision, though, you’d presume fewer people would be willing to take the risk.
Researchers propose this is precisely what happened in Sweden back in 1967. The risks associated with driving increased, so people drove more cautiously. The net effect was a short-term decrease in collisions thanks to the increased risk.
The flipside would be an increase in collisions following a decreased risk.
Put another way, the theory argues better cyber defences could increase your chance of suffering a cyber attack.
Risk homeostasis and cyber security
The following thought-experiment spells out why.
Let’s assume your people perceive the risk of a cyber attack to be 7/10. You then rollout new firewall protections that nullify 50% more threats. Perceived risk decreases to, say, 4/10.
And then someone receives a spear-phishing email.
Under the old rules, opening the email was pretty risky. Under the new rules, there are greater protections. After all, the email might not be a hoax. In fact, it might be important. And why bother wasting time by checking with a superior? The new defences surely are a failsafe either way?
Strong and repeated evidence suggests thought processes like the above are precisely what happens in practice.
Failure to counter risk homeostasis, then, might well render new defences worse than useless.
Uncovering the solution
At CybSafe we make no attempt to hide the fact that we strongly believe failing to address the human aspect of cyber security causes companies problems.
We believe people are in fact part of the solution; not the problem.
So instead of throwing your hands up in despair, it’s worth asking the question:
Given the complex nature of people, how can we account for risk homeostasis when addressing cyber security challenges?
It turns out doing so is easier than you’d think.
A prediction for the future
Let’s go back to the theory.
To reiterate, risk homeostasis says people tolerate a certain level of risk, which changes as the benefits (and/or costs) of shouldering (and/or avoiding) risks change.
According to the theory, if we reward cautious behaviour we can expect people to behave more cautiously – which a recent review of 120 published evaluations confirms.
As far as we know, few companies are currently incentivising cautious behaviour – which perhaps explains the proliferation of successful cyber attacks.
As time goes on and the scale and frequency of cyber attacks continues to rise, we predict more and more companies will begin folding cyber security performance into performance reviews and more and more companies will begin to praise and reward good cyber security performance accordingly.
You might have noticed the above is exactly what risk homeostasis predicts – but let’s set the theory aside for the moment.
The vast majority of today’s cyber criminals choose to exploit human vulnerability.
By properly addressing the human side of cyber security, your people can become your greatest defence.