Wednesday, February 20, 2019

It's official: I'm an award-winning technologist

Earlier this month I was delighted to receive the CompTIA Tech Champion Award, "recognizing leaders focused on driving innovation, job growth and advancements for the information technology (IT) industry." There was even a press release and a video!


To put this award in context, CompTIA is the Computing Technology Industry Association:"the leading voice and advocate for..industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world’s economy."

Saturday, February 16, 2019

Risk assessment and situational awareness: minding the gender gap with the elevator question

Man and woman in elevator iconConsider this: a man and a woman get into an elevator. Which one is doing risk assessment?

I've been posing this question to random groups of people on the fringes of information security and cyber-workforce events for over a year now and the results have been very interesting to say the least. 

Almost without exception women respond to the elevator question by saying: "the woman." 

Based on my research into gender differences in risk perception that response was what I expected, but I continue to be surprised by two things:
  • How quickly that response is voiced, usually in less than a second or two. 
  • How many women, after answering, proceed to share—without any encouragement—their personal elevator strategies (more on these later).
Not so surprising is the fact that no woman has yet responded to the elevator question with words to this effect: "I've never really thought about it."

How do men answer? Quite a few say "the woman" and I take that as a positive sign. It suggests that those men understand one of the fundamental realities of gender inequality in our society: women live with a greater base level of fear for their personal safety than men do. As a result, it is reasonable to hypothesize that women tend to have a lot more "lived experience" of risk assessment than men

Although quite few men say "the woman" it usually takes longer for them to come to that conclusion than women. You see quite interesting facial expressions when someone in mixed company answers "the woman" very quickly and decisively. Some men seem genuinely puzzled. This suggests another hypothesis: some percentage of men don't realize that women live with a greater base level of fear for their personal safety than men do.

I should note that some men—notably some security professionals—have answered "the woman" very quickly.

Fear, risk perception and social science 

My original motivation in asking the elevator question was to get a sanity check on two hypotheses that I formed while researching risk perception as it relates to technology: 

Hypothesis 1: Women tend to see more risk in technology than men.

Hypothesis 2: An increase in female participation in technology development and cybersecurity would lead to reduced risk and increased security.

You can see from the graph below that H1 was validated by some formal research into risk perception as it relates to gender and technology; this is from the study by myself and Lysa Myers. back in 2017 when we were both working for ESET.


Over 700 research participants were asked how much risk they thought each of these 15 technology-related items posed to human health, safety, or prosperity: x-rays, artificial intelligence, gun ownership, genetically modified food, nuclear power, oil and gas fracking, network failures, government data monitoring, accumulation of personally identifiable information, global warming, motor vehicles, hazardous waste, theft or exposure of personally identifiable information, air pollution, and criminal hacking.

For all 15 items, women rated the risk higher than men.

Unlike that study, posing the elevator question to random groups of people does not count as formal social science. The reactions that you get may be influenced by the uncontrolled demographics of the group (all male, all female, mixed). But I think there's a solid and potentially career-boosting research project somewhere in the elevator question, ripe for anyone with the resources to undertake a more formal study.

What the graph above illustrates is the gender gap in technology-related risk perception. Numerous studies have documented this over the course of several decades (see the 1994 paper "Gender, race, and perception of environmental health risks" by Flynn, Slovic, and Mertz for early references: Risk Analysis, 14, pp. 1101-1108, with pre-print PDF freely accessible here).

As far as I know, it was studies of public sentiment around environmental issues that led to the first documentation of a gender gap in technology-related risk perception. The research that I did with my colleague at ESET, Lysa Myers, was to the best of our knowledge the first to show that this gender gap also exists with respect to risks related to digital technologies. That finding led us to hypothesize that women—on average or in the aggregate—are more aware of cyber-related risks than men.

A counter-argument might be that men are more realistic in their assessment of risk because the true level of risk is lower than women think and closer to the population mean. To this I say: how many people have a clear picture of the level to which digital technology has been criminally hacked, broken, and abused for selfish purposes? That's why, in my opinion, the risks from digital technology are higher than the mean. Therefore, women are more accurate in their technology risk perception than men (on average or in the aggregate). 

Research into the gender and ethnic variations in risk perception has shown that it is white males, as a whole, who see less risk in technology than black males, white females, or black females (these were the names of the categories used by the researchers). But that score—which has been dubbed the white male effect—is the result of a subset of while males seeing drastically less risk than anybody else. The group, possibly 30% of white males, lowers the overall risk scores for all white males, creating the gap you see in this chart from the 1994 Flynn, Slovic, and Mertz study (adapted):
As I indicated earlier, this study was not an outlier, other studies point in the same direction and I am not aware of any that point in the opposite direction (I did look for them). You can find quite a few studies, as well as deep dives into why some people see less risk in technology than others, at the Cultural Cognition Project at Yale Law School.

What does it all mean? As I suggested in my 2015 TEDx talk, I think it means that the rate at which new technology risks are created would go down if decision-making roles in tech companies were more evenly distributed between genders.

Back then I said "we need more women in decision-making roles in techn ology" and some surveys suggest that there are now more women in such roles than there used to be; but I think we are nowhere near the level of gender equality needed to put the brakes on fresh technological blunders.

In the coming months and years I will continue to articulate these views. In the meantime, I have another study idea, a slightly different elevator question, that you might want to consider. Document what happens when you ask women this question: "What goes through your mind if you're alone in an elevator and a man gets on."

I think you will hear some interesting personal elevator strategies. The ones that I have heard certainly gave me a better sense of just how unequal life is for women and men, even now, two decades in to the 21st century.