RISK ASSESSMENT PROCESS AGAINST THE AVAILABLE RISK PERCEPTION: A GAP BETWEEN RISK PROFESSIONAL AND LAY PERSON

ATTITUDES AND UNDERSTANDING TO RISK

Abstract: Study of risk perception and risk assessment shows that there is certainly a gap exists between risk professionals and lay person understanding of risk because of their knowledge gap and other factors like risk communication, risk amplification and traditional cost benefit risk assessment techniques, which neglect higher order impact and thus underestimate overall risk. However, this gap can be bridged by implementing certain techniques.

Introduction: Risk is defined as possibility of threat exploiting vulnerability and therefore causes harm to asset of any organisation. There is simple formula for calculating risk, which is Risk = threat*vulnerability*impact (asset value). To understand this formula, it is crucial to understand all these three values. Threat word is bit confusing but here it refer to those things that pose danger to information security. Threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit vulnerability. Threat can either intentional (e.g., an individual cracker or criminal) or accidental (e.g., the possibility of a computer malfunctioning, or possibility of an act of God such as earthquake, a fire, or a tornado) (Jones, Ashenden; 2005, p. 37) . Vulnerability means weakness of the system, which could be technology, people, process and asset. Asset can be physical consist of solely of information or a function that enables a business process to

carried out for company. Without factors like threat agent, vulnerability and impact there is no risk but it is also significant to understand that risk is not always same for everyone, everyone has their own understanding for the risk and there is always a gap exists between understanding of lay person and risk professional (Slovic, 1987). Risk professional think risk in particular direction in which he/she is expert while lay person think risk in broader sense. Risk in information technology is very high as threat agents are diverse and emerging technologies are becoming more and more sophisticated, it always bring about a set of problems not only associated with physical but also with respect to technical prospective. There can be different approaches to understand the risk depending upon the situation or the persons attitude, when we talk about the lay person, they always use their judgments and perception and their perception about risk comes from their direct or indirect experience, while on the other hand, risk professional never make decision on the bases of judgments, they always use particular risk assessment techniques depending upon the environment and situation. Risk assessment consists of two elements, risk analysis and risk evaluation, risk analysis uses the information to identify possible sources of risk, for example it uses information to identify threats or events that could have harmful impact and estimate risk probability of its occurrence, and for risk evaluation, effective communication and defining countermeasures are essential. Next section will explain the risk assessment process and risk perception. After that risk perception against the approaches of risk assessment is discussed. Conclusion discusses how risk perception and risk assessment can be handled together effectively.

Risk assessment process and perception of risk: Risk assessment: The elusive and hard to manage qualities of todays hazards have forced the creation of new intellectual discipline called risk assessment and it is designed to aid identifying, characterizing and quantifying risk (Slovic, 1987, p. 280-280). Basic aim of risk assessment process are to minimize the amount of risk to which organisation is exposed by recognizing which assets are more important to business, identifying and anticipating threats and closing vulnerabilities (jones, Ashenden; 2005, p 196). While doing risk assessment it is necessary to look outside as well as inside of the organisation in a controlled manner as risk is not always negative, it could be positive in sense of making profit for an organisation or some time it is very essential to take risk for controlling vulnerabilities in a system. But when we consider the risk assessment process, it is generally done by the risk assessment professionals, taking predefined steps and processes. All the security requirements come out of risk assessments and generally it is accepted that whenever there is risk, it always tries to exploit the assets (e.g. confidentiality, integrity, availability, and non-repudiation) of any organisation. For finding the security breaches and risks, risk assessment is done by risk professionals and it involves certain steps:
1. Identify Assets: identification of assets can be done on the basis of four elements

which are: confidentiality, integrity, availability and non-repudiation.

2. Vulnerability Assessment: a vulnerability assessment can be done by various

techniques like penetration testing in the technical environment; moreover scenario bases technique can also be used for gathering vulnerabilities issues.

3. Threat Assessment: it is done for finding all threat agents which could be responsible

for exploiting the Vulnerabilities of the system or organisation.

4. Risk Assessment: in this phase all the information gathered in previous steps is

brought together for estimation of the risk, whether it is high, medium or low.
5. Define countermeasures: final step in the risk assessment is to define and select

proper steps to avoid, mitigate or transferring of risk with suitable techniques like in case of computer based environment proper updating or patching is required, new access controls mechanism and firewalls etc. should be implemented. In the risk assessment process, while implementing countermeasures industry spends lots of money for minimising or mitigation of risk. For instance an information technology company spends money on the implementing firewall to prevent themselves from data breaches but even a single risk event with minor consequences often elicit strong public concern and produce extraordinarily severe social impacts, at levels unanticipated by conventional risk analysis. The point is that traditional cost-benefit and risk analyses neglect these higher-order impacts and thus greatly underestimate the variety of adverse effects attendant on certain risk events (and thereby underestimate the overall risk from the event) (Kasperson, Renn, Slovic, and Brown, 1988, p. 179). Risk assessment process is dependent on the external factors but risk professional always focuses narrowly on the events and they defined risk by particular formula like multiplication of some issues that were decoded and due to this they often fail to inform societal choices regarding technology. Though risk professionals always tries to makes their design perfect for risk assessment but risk communication always affect their results. One of the miracles of democratic life is the ability of lay people, often with little formal education, to master technical material when sufficiently motivated (e.g., by the siting of a hazardous facility). Unfortunately for risk

managers, the motivation for this self-education often comes from a feeling of having been wronged (Fischhoff, 1995).

Risk perception: Risk perception is the subjective judgment that people make when characterising or evaluating hazardous items or activities. There are various theories have been proposed to explain why different people make different judgment about the dangerousness of risks. These theories has been characterised into three major families: psychology approaches (heuristics and cognitive), anthropology/sociology approaches (cultural theory) and interdisciplinary approaches (social amplification of risk framework).

Social amplification of risk: It is an interdisciplinary approach of risk perception and it be based upon the communication theory of risk. It is described here to understand the risk communication, in which sometime risk professional fail and due to which their risk assessment tends to go in wrong direction. Amplification occurs at two stages: in the transfer of information about the risk, and in the response mechanisms of society. Signals transfer information through amplification stations. Signals about risk are processed by individual and social amplification stations, including the scientist who communicates the risk assessment, the news media, cultural groups, interpersonal networks, and others. Key steps of amplifications can be identified at each stage. The amplified risk leads to behavioural responses, which, in turn, result in secondary impacts (Kasperson, Renn, Slovic, and Brown, 1988). These secondary impacts

affect mental perception of people, business economy, physical nature of risk and training and education of people. After this these secondary impacts leads to third order impact (temporal and spatial), hence make the concept of social amplification dynamic. Social amplification steps that take place in transferring of information: 1. Filtering of signals: processing of small amount of information by a person from large chunk of information. 2. Decoding of the signals: understanding of people regarding the information given to them. Decoding of signals depends upon the persons individual knowledge and other factors like social groups. 3. Processing of Risk Information: how people make their logical judgments. 4. Attaching social values to the information in order to draw implications for management and policy 5. Interacting with cultural and peer groups to interpret and validate signals 6. Formulate behaviour intentions to tolerate risk or to take actions against the risk or risk manager 7. Engaging in group or individual actions to accept, ignore, tolerate, and change the risk Social amplification of risk shows that how external information can vary thinking of people at each stage of communication and this could certainly create the gap between the thinking of risk expert and lay person. Experts never consider the factors like time, space and social groups which are essential elements of risk perception. Perception of risk generally comes by the direct experience with risk but when direct experience lacks media communication and dramatization of risk influence the people

perception. Moreover informal communication channel like friends, neighbours, and social groups are also responsible for diverge risk perception as when risk information travels from one person to another, everyone interprets that information accordingly and then transfer to other one. Risk assessment can be done in two ways: quantitative and qualitative. Qualitative risk assessment by risk professionals: Qualitative risk assessment is totally based upon the communication, past experience and knowledge of people involved in assessment. In qualitative risk assessment communication based techniques for instance, Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklist, one-on-one meeting, and interviews are used for accessing the public or staff views on how they perceive risk. While performing risk analysis a group is presented with scenario that describes threat and loss potential, each member response with their past experience on the likelihood of the threat and extent of damage that may result. Risk assessment process is just a new technique for measuring the risk which does not exists in the past. In this process, a scenario that could be one or two page long is written for each major threat and risk professional for that particular threat carry out the process of evaluation that how safeguard are diminishing the threat possibility and then, exposure possibility and loss possibility can be ranked as high, medium or low on a scale of 1 to 5 or 1 to 10. Once the all this is done it is then represented in front of people to rank according to their prospective and then threat level is measured. So in such kind of process communication must happen among team members to rank risk, safeguard strengths, and identify weaknesses and the people who know these subjects provide their opinions to the management. For example a risk professional writes a one page scenario explaining the threat of hackers exploiting the confidentiality of five file servers or data centres of an organisation

and a group of people like IT manger, data administrator, system operator, application programmer and operational manager are invited to give ranking on the bases of their knowledge and experience and ranking is given to the threat level, safeguard effectiveness and loss potential with rating from 1 to 5, 1 being less effective or probable and 5 being more effective. Finally a table is generated to measure the overall result. An example of table is shown below.

Threat= hackers accessing cofidential information IT manager Database administrator Application programmer System operator Operational manager Result

Threat level

Probablity threat taking place

Potential loss to the company

Effectiveness of firewall

Effectiveness of intrusion detection system

1 3

2 4

4 3

4 3

2 1

2 5

4 5

4 2

3 4

2 2

3.6

3.2

3.6

1.6

Table 1.

This tables shows the overall result on the bases of what and how the information is given to the people and how their knowledge effect the result. Results could be something else if the people involved in the scenario are from different background and knowledge, every one perceive risk in different way according to their knownlege, past expericence, and the way information is given to them, all this leads to a theory of risk perception in which cetain factors are there which can hamper the correct risk assessment process.

Risk perception against qualitative risk assessment: There are two approaches of risk perception which can affect the qualitative risk assessment. Social and Psychological approach: In risk perception these approaches are vital as people mostly perceive risk because of their past experience, psychological needs and their social behaviour. Perception of risk for particular hazard will be higher if something undesirable had happened with a person. For example data breaches occur on daily bases and they are more likely to happen in the world so peoples perception of risk is not high enough in this case but if a person faces a direct experience of losing its credentials while doing internet banking or his/her important data is lost that can cost him/her a high value of money then in this situation he/she is more likely to take it senior in future and he/she will think about implementing more advance approaches while doing their task like patching their system with new security updates and so on. Media communication also plays its part in risk perception. Approach called psychometric paradigm identifies numerous factors responsible for influencing individual perceptions of risk, including dread, newness, stigma, and other factors. It has proven that risk perception is highly dependent on intuition, experiential

thinking, and emotions and it is an approach of people attitude toward risk. This approach can be used to make quantitative judgment of peoples judgment about desired level of regulation and risk, so integration of this approach in qualitative risk assessment can give better results. Perception of risk could become higher if a person has strong belief about certain aspect of risk and he finds evidence or someone to support his belief and it happens because of the psychology of human behaviour. New evidence appears reliable and informative if it is consistent with ones initial beliefs; contrary evidence tends to dismiss as unreliable, erroneous and unrepresentative (slovic, Fischhoff, and Lichtenstein , 1982, p. 85) A Sociological aspect of human behaviour is that People are willing to tolerate higher risk from the activities that seems highly beneficial to them. The social acceptance of risk is directly influenced by public awareness of the benefits of an activity, as determined by advertising, usefulness, and the number of people participating, (Starr, 1969, p.1237). For example, thought there are many risk associated with cloud computing like data loss, confidentiality and data integrity but people are more influenced by the benefits of cloud computing rather than its risks so people are more willing to accept risk associated with it. Furthermore, in social espect people perception about risk depands upon their involvment of activites. Their voluntariness urge them to willingly accept risk, as stated by Starr (1969, p.1237) the public is willing to accept "voluntary" risks roughly 1000 times greater than "involuntary" risk. While doing risk assessment in a technical way, risk professional never considers Psychological factors they always care about the certain step that needs to follow to complete the risk assessment process. Sometime risk professional become overconfident and due to this, their assessment does not result in minimizing or mitigation of risk in effective sense.

10

Risk perception against quantitative risk assessment: Quantitative assessment of risk by professionals is totally based upon the historical events and it is difficult gather reliable data of past activities. If data is not reliable then accurate assessment is also not possible. Moreover, risk professional never consider judgment of people while doing quantitative risk assessment as judgments of people cannot be quantifiable but phychometric paradigm of risk perception contradict this. phychometric procedure can be used to elicit quatitative judgments of percieved risks and benefit from various activities and technologies as well as judgment of acceptable risk levels (Fischhoff, Slovic, and Lichtenstein, 1978, p.127-152). In addition to this, experts or risk professional always see riskiness as synonymous with expected annual loss or mortality in quantitative assessment, while on the other hand lay people judge risk on the bases of voluntariness and their knowledge about the event. Furthermore, people are not only interested or worried about the magnitude of risk, but also about the type of risk; contrarily, technicians do only assess the magnitude of risk, which is usually expressed as the possibility of suffering damage.

Conclusion: It is true that there is always a gap exists between experts and lay peoples understanding of risk and it is obvious that this is all because of gap between their knowledge, attitude, society and communication. Though lay persons have rich sense of understanding risk but this is not true in every circumstance. For instance, in handling risk related to nuclear plant, chemical engineering, environmental engineering etc. lay persons are not better than risk professionals so both should respect the ideas and knowledge of each other. Moreover, it is possible to

11

bridge this gap by implementing certain things like the information should be the preferred tool, but this information should not be used by mass media and their supported groups who try to sell the information regardless of the scientific seriousness of it. Any other viable course of action should require governmental actions. There should be the inclusion of selected topics on educational programs starting from primary and secondary school level. Moreover, risk perception approach can help to understand and anticipate public response and risk communication among lay people and risk professionals.

References
Andy Jones, D. A. (2005). Risk Managment For Computer Security. Amsterdam, Boston, London, Newyork, Oxford, Paris, San Francisco, Sydney, and Tokyo: Elsevier Inc. Baruch Fischhoff, P. S. (1978). How Safe is Safe Enought? A Psychometric Study Of Attitudes Toward Technological Risks and Benefits. Policy Sciences, 127-152. Fischhoff, B. (1995). Risk Perception and Communication Unplugged: Twenty Years of Process. Risk Analysis, 137-145. Harris, S. (2010). CISSP. New York, Chicago, San Fransisco, Lisbon, London, Mexico, New Delhi and Toronto: The McGraw-Hill Companies. Paul slovic, B. F. (1982). Why Study Risk Perception. Risk Analysis, 83-93. Risk perception. (n.d.). Retrieved February 21, 2011, from wikipedia: http://en.wikipedia.org/wiki/Risk_perception Roger E. Kasperson, O. R. (1988). The Social Amplification of Risk A Conceptual Framework. Society for Risk Analysis, 177-187. Slovic, P. (1987). Perception of Risk. science, 280-285. Starr, C. (1969). Social Benefit versus Technological Risk. Science, 1232-1238.

12