Does knowing too much about a risk unduly introduce bias into the risk assessment process?
Hypothesis
Knowing too much information, like the asset, data at risk or the threat actor, influences our ability to effectively make risk based decisions and introduces biases in how we evaluate and make assessment recommendations, and ultimately how we perceive risk.
A risk scenario in which a loss occurs that exceeds the risk appetite, should not be downplayed in the assessment process due to subconscious or conscious biases. Conversely, a risk scenario which falls within our appetite and tolerance for risk, should not be overemphasized by those same biases.
Goal
Determine if individuals consistently assess risks, with the same results, or if there is a significant deviation in their approach to the evaluation and assessments made.
Testing Details
This study will utilize A/B testing. Each pool will contain scenarios from each of the individual assessment categories (2 from Accept, 2 from Avoid, 2 from Mitigate, and 2 from Transfer) with the remaining two random scenarios being from any of the four assessment categories.
-
- A total of 10 scenarios will be provided to the participating assessor.
- Five of the scenarios will be represented purely based on quantitative values only.
- Five of the scenarios will be represented in qualitative terms.
- Four scenarios will be the same scenario, just presented differently.
- Two scenarios will be unrelated.
The scenario relationships have been randomized and will require evaluation and assessment being performed solely in context of the scenario displayed.
Assessment recommendation
Given the criteria provided and in context of only the scenario being viewed, review each scenario and recommend whether the scenario should be:
-
- Accepted – scenario is within tolerable boundaries, as defined.
- Avoided – scenario exceeds both the tolerable boundaries and value/benefit to be gained.
- Mitigated – scenario exceeds tolerable boundaries, as defined. However value to be gained is greater than the cost of mitigation.
- Transferred – scenario is a low frequency-high impact event.
As previously mentioned, the scenario relationships have been randomized and will require evaluation and assessment being performed solely in context of the scenario displayed.