Last week we gave some examples of proper risk assessment and the common pitfalls people fall into when assessing risk with regard to PCI Compliance. I mentioned that people have a natural tendency to overestimate or incorrectly estimate perceived versus actual risk. In his 2003 book, Beyond Fear: Thinking Sensibly about Security in an Uncertain World, author Bruce Schneier analyzes some of the more common risk misconceptions exhibited by average people. A person tends to exaggerate stupendous but very rare risks while at the same time seem unconcerned about the most common and far more routine risks. People worry about a tornado knocking their house down or a flood washing it away while at the same time not worrying at all about potentially slipping in the shower, even though the potential risk of injury in their own bathroom is far far greater.
My parents were always convinced that sickos out there were poisoning kids’ candy and would always scrutinize my sisters’ and my hauls after an evening of trick or treating, looking for hypodermic needle holes, razor blades or evidence of tampering. Their fear was largely based on an article my mother read that warned parents of the potential for injury through Halloween candy. There has never been an actual police report documenting a case of injury or death of a child by eating candy collected on Halloween, it is just an urban myth. Yet, rational, educated, intelligent people are more willing to believe the threat from criminals with candy is greater than the threat of one their kids getting hit by a car.
Part of the reason for my mother’s fear is that like most people she is overly concerned by risks that she sees as personal. Former Soviet Union dictator Joseph Stalin once said something to the effect of: “one death is seen as a tragedy while a million deaths are seen as a nothing but a statistic.” He was right of course. It’s one thing to hear about a bunch of people you don’t know checking out, yet quite another when it’s just one person that you knew.
Don’t make this mistake with regard to PCI compliance. If you think that data breaches are just news reports affecting a bunch of nameless faceless people, think again. PCI compliance is required and is the best defense you can provide to your customers and your business. See out home page to find out how you can make your business PCI compliant today. It’s easy, and most importantly, it is free.