Risk: Pigs and Sharks

Over at his super-cool new blog, Anton Chuvakin quoted Bruce Schneier:

'More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.'

As much as I respect Bruce, I would have to say that he's confusing local and global risk - he's mixing up logical levels. "Muddled thinking", as Gregory Bateson would have said.

Let me explain. First, a review of the definition of risk: "Risk = Vulnerability X Threat X Potential Loss".

In layman's terms, that means that risk increases proportionate to your ability to be attacked, the number of entities that want to attack you, and the amount you stand to lose from the attack ("attack" here meaning "loss causing event" without any implication of intent)

In those terms, let's think about pigs and sharks. Considering that we're talking deaths in each case, the amount you stand to lose is the same - namely, 100% loss, so all we're talking about is vulnerability and threat.

Interactions with pigs: relatively low vulnerability to to attack, and many human/pig interactions.

Interactions with sharks: extremely high vulnerability to shark attack, relatively few shark/human interactions.

While we may have few interactions with sharks, we intuitively know that if we have an interaction, we're going to end up with significant loss. However, in a large number of interactions with pigs, we're relatively unlikely to experience loss - so, we don't worry about them.

Bruce is being confused by the difference between global risk and local risk. Global risk is the cumulative risk to all people from all pigs and sharks, while local risk is the risk to any single person from a given pig or shark.

Given the choice between an interaction with a pig or shark, I'd say that every human would choose pig. And, from a risk management perspective, they'd be right to do so (because local risk is significantly higher when interacting with a shark). Which would mean that, globally, we'd end up with more risk from pigs (because there is more threat opportunity).

Humans are excellent at intuiting risk - we understand well what can potentially cause us loss on a local level. But we don't think about global risk very well - it's the same kind of thinking that leads individual companies to pollute the environment - they consider the local risks well without acknowledging the global risks.

