I never thought that I’d be comparing toilet-roll purchasing habits with cybersecurity risk management, but here I am in the midst of the COVID-19 pandemic seeing some interesting parallels. As an industrial automation consultant and subject-matter expert for the International Society of Automation (ISA), I travel the world talking to organizations about managing their cybersecurity risk. Common themes have emerged. I realize that both COVID-19 and industrial cybersecurity discussions provoke similar reactions—and behind both is the psychology of how people interpret and respond to risk. Here are some examples:
- There are organizations that deny the abundance of data and insist that they are not at risk. These are COVID-19 deniers, watching the reports of the exponential spread of the virus but claiming that there is really nothing to worry about. Scottish author Hunter Davies recently tweeted that “I’m 84. I survived rationing. I’m not scared of the coronavirus,” which would be like an organization claiming: “We’ve been around for 84 years. We survived a hurricane, so we’ll survive a cyberattack.”
- There are organizations that ask for advice from cybersecurity experts, then promptly ignore that advice because it is inconvenient to them. When epidemiologists recommend taking extreme action and shutting down public events, they base this on their specialist knowledge and experience. While there may be initial resistance to such recommendations, it is almost always necessary to follow the guidance of experts. After all, expert comes from the Latin expertus, meaning tested or proved.
- There are organizations that follow others and undertake costly but ultimately ineffective or misguided responses to cybersecurity risk. A typical case is deploying expensive cybersecurity software solutions without establishing good basic cybersecurity hygiene practices. Often the software is purchased because others have done the same, so it must be the right thing to do. But there are more important steps to take. This is the equivalent to the panic buying of toilet paper rolls that we are seeing today. While stocking up on toilet paper might seem like a sensible contingency plan, there are other factors to consider—not least is exposure to the virus in the supermarket itself.
Psychologist Paul Slovic’s review article, “Perception of risk,” published in Science in 1987, gives some insight into why this happens. Slovic’s analysis compared the difference in perception of the risks of nuclear energy versus driving automobiles. He concluded that because there are so many automobile accidents, the risk is knowable. There is also a limited media coverage of automobile accidents, with no speculation of unknown events. Unlike automobile accidents, nuclear energy represents an unknown risk with a relative lack of data. Nuclear accidents get widespread media coverage resulting in speculation about future possible disasters. The result is that the lower risk scenario (nuclear energy) induces more fear than a higher risk activity (driving an automobile).
In the toilet paper versus community spread scenarios, the fear of running out of toilet paper is knowable, whereas there is still much uncertainty about the likelihood of contracting COVID-19, so once again people are failing to accurately measure risk. But the more you know about your risk, the less there is to fear.
Learn how ISA creates experts who understand cybersecurity risks. Browse ISA’s Cybersecurity Resources Collection to find standards, educational materials, and products that fit your organization’s needs.
About the Author
Steve Mustard is an independent automation consultant and the 2021 ISA president-elect.