We have all read what damage the recent Wikileaks accusations have caused not only to named individuals, but to stock values of specific US banks, writes our regular contributor Mark Hanna.
We are also used to seeing and reading those regular urban myth e-mails such as the ‘gang initiation rituals’. Our own thoughts on such snippets of information often lead to a widening gap between perception and reality, but is there anything we can we do to address in advance, or quash such rumours or misinterpretation of the truth? There are various communication initiatives or plans that we can follow, such as security briefings for staff, newsletters or intranet articles, but all too often this does not manage to address the perceived risk that staff or the business may have. A risk that they believe is true, yet they often fail to approach the one person that is employed to be the security expert. I recall a meeting shortly after 9-11 in which staff requested gas masks, and parachutes for offices in London, and despite a specific briefing for senior staff, some departments still went out and purchased items that they believed would protect them without any previous knowledge or training of such items. This in itself was more of a risk than any perceived or actual potential risk to the business. Likewise, with today’s ‘Mumbai style terrorist attack’ threat, this appears to have led to a general fear of most buildings being at risk. So what are the real issues regarding perception over risk we need to be aware of? Such concerns can only be addressed if we understand the basic concept of perception. However, like many other ‘theories’ there are varying degrees of understanding on the subject, but Chauncey Starr’s simple theory is based on three simple approaches of psychology, anthropology/sociology and interdisciplinary.
Psychological approach
Perceptions of risk such as dread, fear and stigma usually lead to people having their own train of thought regarding probability, predictability and validity of such incidents occurring. This approach can often be due to our own imagination, past experiences or research; which, as we know, can sometimes be misleading. It can be categorised into the levels of how we understand risk, the emotions or feelings that we have towards the risk and the amount of people exposed to a specific risk. In other words, the more we believe there is a risk, and to a large group of people, the more likely we are to feel obliged to reduce the risk by ‘spreading the word’. A nightmare for any security manager.
Anthropology-sociology
This is based upon our social interaction and cultural views along with our own way of living, leading us to have pre-determined thoughts about how we and others live and threats to our way of life heightening our psychological approach to such risks. Society often has more of an effect upon our bearing than we may want to admit.
Interdisciplinary approach
This in effect relates to how we receive and transmit information. Our understanding of how we can best transmit our perceived risks that we have come to ‘believe’ can be communicated in a variety of forums such as word of mouth, the internet, newspapers, television, all which we know have the ability to ‘amplify’ the perception over risk. A prime example of this was the recent news release that Kabul city is safer than Glasgow. On the flip side, such forums may also ‘decrease’ the perception of risk depending upon what they want to air (the saleability of the issue at hand). However, if we believe that such a forum does not portray our own perceptions, we often tend to look for further avenues, but credibility is often required to substantiate any information. Hence the internet is a good source to use for being anonymous and not answerable if incorrect.
Counteraction
If we then consider the above three approaches to our intake, interpretation and transmitting of such risks, it is not a simple process to then counteract any such misconceptions. However, as security experts, it is our responsibility and duty to ensure we try. By understanding perception, it allows us to then approach the concern with a more rigorous stance than simple asking people to sit in a seminar to discuss that same old subject of security. Using recent events to highlight possible staff perceptions is a godsend, but often we have a small window of opportunity as things soon become old news. Once we have a potential, we need to get as high on the corporate ladder as possible to get the business buy-in. No matter what response we get, we must remember that it is the business that decides what risks they are willing to accept, and which they will want to eradicate or transfer, irrespective that it may be an actual or perceived risk. We simply advise, yet so many of us take it personally that our advice is not taken on board, or are advice is perceived as not correct for the specific business need at that time. Whatever the message we are trying to portray, we need to ensure we have the associated proactive and reactive risks analysed and ready in a short and sharp presentation or report. After all, as Arthur J Goldberg once said: ‘If Columbus had an advisory committee he would probably still be at the dock.’ Therefore, we must move from managing security to consultancy management to be able to advance as an individual and a business.
