IEEE Technology and Society Magazine - Spring 2013 - 76

P(A&B), cannot be more than the
probability of either of its components, P(A) and P(B). However,
intuitive decision making leverages the representativeness heuristic that results in decisions and
estimates that consistently violate this basic fact. For example,
let us consider the case of Linda
who is good at math, introverted,
diligent, and unimaginative. The
probability of Linda being an
accountant as well as a historian
cannot be greater than that her just

the pop up resembles real antivirus
software. This can become a major
issue when security indicators are
used incorrectly [29]. It may be easier for phishing websites to appear
legitimate by misusing security indicators, such as the lock sign (Fig. 2).
Availability
Like representativeness, the availability heuristic acts upon probability judgments of likelihood
of a risk to occur. In general,
people tend to rate the probability

Actions preventing threats were
seen as safe, while those that detect
threats were seen as risky.
being a historian. However, people
systematically report the former
probability to be higher: i.e., people guess that she is more likely
to be an accountant with or without an interest in history than she
is to be an accountant interested
in history.
representativeness can
also get people to disregard
base rates. For example, in a
class of 100 students there are
70 boys and 30 girls. Student
A loves cats, is smart and
attractive. These attributes
may typically be attributed to
a girl rather than a boy. Thus,
even though the probability of Student A being a girl is lower (0.3) than
that of being a boy (0.7), individuals
will give an estimate that is higher
than the base rate on these conjoined
probabilities. Similarly, while the
number of legitimate emails asking for personal information ismuch
lower than phishing emails, the former may appear higher depending
upon how well the phishing email
has been crafted. Considering the
example of pop-ups (Fig. 1), there
are arguably no pop-ups that provide
legitimate antivirus services. However, the probability of one being
accurate is heightened by how well
76

of a risk to be high if the ease of
recalling an instance of that risk is
easy and low if it is difficult. For
example, Sherman et al. asked
participants in their study to rate
the ease with which they could
imagine contracting a particular
disease [23]. They found that the

Fig. 2. A well placed lock sign may inspire
a sense of trust and hence security, even
absent critical indicators such as https.

ease of imagination was correlated
with participants' perceived probability of contracting the disease.
Thus, people may be more scared
of anthrax than food poisoning,
even though statistically people are
more likely to die of food poisoning than of terrorism. Thus, heavily
publicized risks are more salient
in human imagination rather than
the more threatening one. This
impinges not only on individual
decision making but can also guide
public policy and investment.
This has several implications
in the security domain. In general, when security works best

then nothing happens. The lack
of incidence is not a salient event
that can be made readily available.
This also means that people will
find it easier to remember identity theft rather than the underlying mechanisms, e.g., phishing.
This heuristic is also leveraged
by attackers in phishing and other
spoofing attacks. In general,
phishing websites differ from their
legitimate counterparts in small
details. However, small details
are not as easily available to the
decision maker and hence a decision maker may not look for them,
thereby becoming a victim. This
is further complicated by belief
perseverance [17], i.e., if a person
believes hypothesis A, they will
continue to hold that hypothesis
as true simply because it is salient.
When end users go to a banking
website, they believe that they are
going to the right location. They
might keep holding to this notion
even after encountering several
visual cues that the website is
indeed fraudulent.
Availability can, however, be
used to design better risk
communication.
Koehler
found that if a person is
asked to imagine a hypothesis as being true, it increases
their confidence in the truthfulness of that hypothesis
[13]. In the security domain,
users many times are told
that the website they are navigating to is insecure and are asked
to reconsider their decision. Thus,
instead of simply suggesting that a
website is insecure, users might be
asked to imagine that the website
is insecure and the resulting implications. This would increase the
perceived salience of the risk and
may lead to safer behaviors.
Availability can also be leveraged
by
public
relations
campaigns in the form of public
service announcements or media
coverage of security incidents.
Increased coverage of risks such
as "Facebook fired" [38] would

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

SprING 2013

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - Spring 2013