Last night I stumbled across a documentary on BBC2 (content only available to UK residents – sorry!) about the human brain. One section talked about how the brain perceived risk issues – obviously an interesting topic for security folk!

A test subject was placed into a brain scanner and asked to estimate the likelihood of 80 different negative events occurring to him in the future – from developing cancer, to his house being burgled, to breaking a leg etc.  Once he had stated his opinion, the real likelihood was then displayed to him.

At the end of the 80 events, the process resets and the subject is presented with the same events and asked to, once again, state his perceived likelihood, although this time with some knowledge of the actual answers.

The results are surprising. 

Where his initial response had been too pessimistic, the test subject adjusted his perception to align with the actual likelihood. However, where he had initially been too optimistic, his opinion remain largely unchanged by the facts! It was apparent that the brain proactively maintained a ‘rose-tinted’ view of the risks, accommodating a more optimistic view but shunning anything more negative.

The scientists argued that this was the brain did this for two main reasons

1 – To minimise stress and anxiety, for the resultant health benefits; and

2 – Because an optimistic outlook helps drive success, support ambition and keep humanity striving for a better future.

This is interesting on its own, but becomes more so when you when compare it with society’s appetite for bad news. It’s common knowledge that bad news sells, which is why our newspapers peddle it almost exclusively and, to some extent, we can understand why it appeals – our subconscious always needed to be more attuned to a cry of “Wolf!” than a regular call of “No wolves in sight”.

So, it seems that our nature is to seek out bad news, but then ignore the lessons that it should be teaching us; and to make this worse, when we find a story that allows us to believe that the risk is reduced, we accommodate and synthesize that almost immediately, building it into our new perception of reality.

Is it any wonder, therefore, that CISOs fight a constant battle to communicate their message, to alter the perception of the senior executives who have the authority to enable change? It also makes me consider whether, just perhaps, CISOs are biologically different from other people – are we pre-disposed to internalize both positive and negative risk issues in a more balanced way than the people around us?  If that is the case, how do we get them to see things from our perspective?

And, no, FUD is not the answer….