Wednesday, January 07, 2009


I’m reading a great book: The Science of Fear by Daniel Gardner.

I highly recommend it. It’s an analysis of how and why our fears are often irrational; we fear things that are not particularly likely, and don’t fear things we should.

In one of this early chapters, he talks about how people refused to fly in the months after 911, and drove instead. He explains even if the risk of a terrorist attack on an airplane in the post-911 era had been much higher than it was, it would still have been much safer to fly than to drive. He also points out how many people died because they drove instead of flying.

Why did that do that? Why did so many people react in such an irrational manner to what was truly a terrifying event?

Gardner explains that we have two systems of thought: System One is the unconscious, intuitive system of thought that is to some extent an artifact of our evolution. As Gardner says, it’s our gut instinct . . . the immediate response we needed when a lion showed up or we were confronted by some other visceral, physical threat when we lived in a more threatening world. System Two thought is the rational mode of thought we have evolved over the last millennia; it’s the more modern system of thought.

As Gardner explains, the people who refused to fly after 911 were giving in to System One thought. They were not assessing the situation rationally; they were reacting to the horrible images and stories they’d seen on TV and in newspapers. So from an outside observer’s perspective, what they did was irrational and foolish (not to mention self-destructive). That, he explains, doesn’t matter. From what I’ve read so far, it seems System One thought will trump System Two thought in any situation in which physical danger crops up (and maybe in others, as well . . . I’m not that far into the book.)

All of that made me think about how we – as a species – react to cyberthreats. It seems to me there’s a lot of System One thought going on when it comes to cyberthreats.

I don’t know about you, but whenever I mention to a “civilian” (i.e., to someone who isn’t a lawyer or someone who works in the cybercrime or computer security area) that my specialty is cybercrime, I almost always get the same reaction. They always talk about how horrible and frightening the online predators are. No one ever wants to talk about what I, for one, see as the more interesting, more serious concerns . . . the attacks on businesses, government agencies and other targets, the fraud and extortion, etc. No . . they want to talk about some “horrible” story they “heard” about a pedophile online.

I’ve never understood that. I’ve never understood why these people seem to find the notion of online pedophiles to be so spectacularly frightening when, as far as I can tell, a child is much more likely to be harmed in the real, physical world by someone he or she knows . . . Uncle Fred or the soccer coach or the Boy Scout leader or the neighbor, etc. That, I guess, is giving into System Two thought.

I’m still reading the book, and I’m still thinking about all this, but what I’ve read so far makes me wonder if System One thought doesn’t explain several things . . . one is the phenomenon I noted above, i.e., the focus on the army of pedophiles who are trolling the Internet to do uncertain things to unsuspecting children. I know pedophiles and perverts can stalk and harass and do other things to children in cyberspace, but I also don’t see how the “harm” they inflict rises to the level of the “harm” inflicted on children by the pedophiles they know. (I also don’t see why parents can’t take steps to minimize or eliminate the risk of online victimization, but that’s another issue.)

What I’m really wondering about is if the problem computer security people and others who try to convince people to secure they systems and generally protect themselves (and their employers) from cyberthreats face is that they’re relying on System Two thought. From what I’ve read so far, it’s pretty clear that System Two thought is dull, compared to System One thought, and is therefore less likely to motivate us to do things. We buy Brinks and ADT home security systems because we see the scary commercials on TV and read scary stories about home invasions; System One though at work.

We don’t really do much of anything to secure our computers and protect ourselves from online criminals because . . . it’s just not scary. It’s more of a cerebral threat, and while we can at some level understand those threats, they just don’t motivate us in the way home invaders and lions on the loose do. It’s an interesting notion. I’ll have to give it more thought.


Christa M. Miller said...

"We don’t really do much of anything to secure our computers and protect ourselves from online criminals because . . . it’s just not scary. It’s more of a cerebral threat...."

It's also highly technical, and the mass media with its soundbites largely has not been able to find a way to explain it in terms the average viewer/reader can understand on a level that affects them. As a LE reporter, that certainly gets me thinking!

Susan Brenner said...

I agree with you about the highly technical part and the related part of trying to explain it in a way the average person can really understand.

I think part of the problem is that we just don't see media portrayals of the harm criminals can inflict by exploiting gaps in security.

My sense, based on conversations a few years ago with a fellow who was considering a documentary on all this, is that cybercrime is not seen as particularly cynematic . . . he kept saying that all he could show was people typing, which is true. Seems to me you can also show the consequences, which have a cinematic, visceral impact, but I could be wrong.

Christa M. Miller said...

Right, for a documentary, it should be (if not easy) then at least possible to create animation showing the impact on networks nation- and worldwide.

Another of few options would be to discuss the cost and how that impacts the average citizen... but people don't tend to respond to financial impact anymore, not in that visceral way. People figure it's part of life by now, something that will just happen anyway whether via cybercrime or corruption.

Plus, even if journalists did find a strong way to report these issues... they'd still have to compete with the "bleeding leads," not to mention the stories about shark attacks and plutonium making it into US ports (i.e. stories seen as media overhype).

Susan Brenner said...

I hadn't thought about the animations. . . that's a really good point.

And I agree with you on everything else you said . . . I'm afraid it's going to have to take a high-profile case to generate interest.

Anonymous said...

Call me a cynic, but I also think that a lot of it has to do with baser human nature: how does this affect ME? Most people don't get too exercised about exploits involving government or business systems because they believe (mistakenly) that it doesn't "touch" them. But the pedophile army (I love that phrase, BTW), the identity thief, the cyberstalker? That would affect them personally, so they take an interest in it disproportionate to the actual threat. The more attenuated the victim, the less interest the public shows in the danger, however far-reaching it is when viewed rationally.

Susan Brenner said...

I absolutely agree with you about the "how does this affect ME?" part of the fear dynamic. That's probably part of the System One, evolved to keep us alive in the fact of lions and other threats, he talks about in the book.

Actually, it might even go to my point: System One thought (which he calls Gut) cares about itself, primarily (though we can be altruistic). The systemic harms are, I think, we can appreciate only at the System Two (Head) level . . . and therefore are much less compelling.