Risk Perception, Trust and Credibility
Cmpe 471-03
fall 2001
SECURITY
• SCOPE:– Analyse security from a social sciences point of view
rather than technical
– Security is a cost that has to be justified
– Perception of risks determine the level of security that needs to be implemented
SECURITY
– debate on: companies should understand how much security is needed before designing bulky security systems especially in internet applications
– understand how risks are perceived by different stakeholders namely customers
– understand the factors that contribute to forming and changing risk perception.
RISK
• Possibility of suffering harm or loss, a factor, course or element involving uncertain danger
OPPORTUNITY & THREAT
THEORETICAL FRAMEWORK
• Important parameter in designing security systems is the COST
RİSK ASSESSMENT
• Risk perception– psychological theory of risk: how the general
public reacts to uncertainities of danger, and how this general reaction affects individual behaviour.
– cultural theory of risk: Risk perception differs depending on the social group & belief system an individual belongs to (Douglas 1970)
Reacting to Threats
RISK PERCEPTION
THREAT
RESPONSE
Passive Reaction
communication
Reacting to Threats
RISK PERCEPTION
Organisation Structure
RISKMANAGEMENT
Externaldanger
Shared Meaning and Trust
CULTURAL THEORY
• When we try to think of the individual in a social context, we normally think of the corporate group or groups to which they belong.
• Individuals also have constraining classifications within the group: hierarchy, kinship, race, gender, age...
CULTURAL THEORY
Group (Social incorporation)
Grid (Individual)
B
Fatalists
C
Hierarchists
A
Individualist
D
Egalitarians
Four types of social environment and cultural biases (Douglas 1970)
CULTURAL THEORYA: competitive, control people,
autonomy; see risks with opportunities
B: no voluntary risk taking, but accept it as a given, no personal autonomy
C: group is emphasised; division of labour, specialisation, segregation of duties. Take risks iff it is approved by experts; hierarchical authority
D: members get their support from the group; no formal delegation. The group dissolves in the absence of strong leadership
group
indi
vidu
al
Individualist
Fatalists Hierarchists
Egalitarians
B C
A D
CULTURE AND RISK
• Risk behaviour is a function of how human beings, individually and in groups, perceive their place in the world.
• It is important to understand the role of culture in stakeholder interaction in order to understand cultural biases in risk perception.
STAKEHOLDER MODEL• Stakeholders
– Users: information user– Suppliers: information provider and systems
developer– Others: systems manager
• Each stakeholder group has a differing perceptions of same risk.
• Stakeholders can be grouped within themselves depending on the social groups they belong to rather than roles they assume.
STAKEHOLDER MODEL
USERS SUPPLIERS OTHERS
Individualist
Fatalist Fatalist
Sectarians/Egalitarians
Sectarians/Egalitarians
Hierarchists HierarchistsHierarchists
Sectarians/Egalitarians
Fatalist
Individualist Individualist
Links stakeholder model with the cultural theory
STAKEHOLDER MODEL
• Individuals have different cultural biases and have different perceptions of risk– computer privacy and security rules are
different in different countries– Singapore, Japan, US, Canada
• Grouping stakeholders is not enough for designing IS.
RISK COMMUNICATION
• It is important to know the cultural backgrounds of the stakeholders– how they perceive risks– how they communicate risks– risk communication theory– risk communication model
RISK COMMUNICATION
• Past:– risk communication as one way to general
public from government…– efforts to improve risk communication– to get the message across by describing the
magnitude and balance of the attendant costs and benefits
RISK COMMUNICATION
• The costs and benefits are equally distributed across a society
• People do not agree about which events or actions do the most harm or which benefits are more worth seeking.
RISK COMMUNICATION
US National Research Counsil (1989)
Risk communication is an interactive process of exchange of information and opinion among individuals, groups and institutions. It involves multiple messages about the nature of the risk and other messages, not strictly about risk, that express concerns, opinions and reactions to risk messages or to legal and institutional arrangements for risk management.
Top-down definition of risk
RISK COMMUNICATION
• Risk Communication– risks posed to stakeholders on the web are
technological hazards– classical risk communication model:
• sources
• transmitters
• receivers Certain aspects of risks are intensified or attenuated
CULTURE
Sources
Scientists
Agencies
Interest Groups
Eyewitnesses
Portrayal of Event with symbols, signals and
images by the Sources
Transmitters
Media
Institutions/Agencies
Interest Groups
Opinion Leaders
Receivers
General Public
Affected Organisations/Institutions
Social Groups
Other target audience
Risk
Event
feed
back
Two-way interaction
Initial Information
HEARCULTURE
SOCIAL FASHIONPERSONAL VALUES
RELATED ATTITUDES
INFLUENCES
Appeal Do not Appeal
UNDERSTAND
BELIEVE
PERSONALIZE
RESPOND
New Information
Communication• The recipient hears the information and then
screens it based on social fashion, personal values, attitudes under the influence from peer groups– cultural forces before understanding the message
• Believing involves acceptance that the understanding is correct – the risk is real
• Personalisation– the risk event will affect the receiver
• Response– decision to take action for protection from risk
Communication
• Credibility of information sources and transmitters is a key issue in risk communication
TRUST AND CONFIDENCE VS CREDIBILITY
• Trust is an important ingredient in any trade transaction
• Trust acts as the mitigating factor for the risks assumed by one party on the party in the trade
• As trust increases the risks either reduce or become manageable by the trusting party
• Existence of trust also reduces the transaction cost in a trade
TRUST
Message generatedby the Person
Person orCommunicator
Institution wherePerson works
Social and EconomicEnvironment where
the Institution islocated
Trust in theMessage
Confidence inthe Person
Confidence inthe Institution
based onperception
Climate forTrust andCredibility
Confidence inthe Institution
based onInstitution’sperformance
How a Person createsand transmits a message
How a Person createsand transmits amessage
How a recipientsanalyses the message
For effective communication of risks it is critically important that receivers place trust on the sources and transmitters (Lee 1986)
Five levels of trust analysis framework
INSTITUTIONAL CREDIBILITY
• Confidence in business and economic organisations depends on the perceived quality of their services, but also on the employment situation, the perception of power monopolies in business, the observation of allegedly unethical behaviour and the confidence in other institutions
• Confidence in political institutions depends on their performance record and openness, but in addition on the perception of a political crisis, the belief that the government is treating everyone fair and equally, the belief in functioning of checks and balances, the perception of hidden agendas, and the confidence in other institutions
INSTITUTIONAL CREDIBILITY
• The more educated people are, the more they express confidence in the system, but the more they are also disappointed about the performance of the people representing the system
• Political conservatism correlates positively with confidence in business and negatively with government and public service
INSTITUTIONAL CREDIBILITY
• The social climate pre-sets the conditions under which an institution has to operate to gain and maintain trust
• in a positive climate people invest more in trust institutions
• in a negative climate people tend to caution and seek to have more control
Risk Perception, Trust and Credibility
• Hypothesis:– once trust and credibility exist in a relationship
among the stakeholders during risk communication, stakeholders do not get involved in the analysis of risk factors individually, and
– information systems security becomes less important to people when dealing with a trustworthy and credible institution.
Risk Perception, Trust and Credibility
• Personality of the communicator with attributes of ability and integrity are also important in establishing trust.
• Overall; message, communicator, institution, and the social context are the major factors in establishing trust within an organisation.
Risk Perception, Trust and Credibility
• Inferential analysis:– inverse correlation between trust and security
on the internet– the higher the trust placed on an organisation
the lower was the security concern.