Introduction

Most people react to risk in an emotional manner. This reaction often comes as a surprise to people who understand the true statistics relating to risk. In organizations such as government-funded healthcare, local government and other public services, the attitude to risk management is often clouded by a perceived public need for certainty. In politics, risk management is often based more on managing public opinion than dealing with the reality of the risks faced. One of the most public illustrations of how risk is perceived and reacted to is called 'moral outrage' by sociologists and psychologists. Information security professionals often overlook the manner in which their own perceptions impact on risk. One important characteristic of information security practice is that it can arouse emotions, sometimes significant emotions. Information security practitioners can be accused of being obstructive and unnecessarily authoritarian.