LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

Bruce Schneier observed: "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk." What's the practical takeaway for cyber risk management?

Human risk perception is systematically biased — toward vivid, dramatic, novel threats and away from mundane, frequent ones. Risk management exists to counter this bias with arithmetic.

The "pigs vs sharks" point in plain numbers:

  • Sharks (worldwide): ~5-10 human deaths per year.
  • Pigs (farm accidents): ~50+ human deaths per year, possibly more depending on how counts are pooled.
  • Sharks are vivid + scary + cinematic. Pigs are mundane. Our brain weights vividness over frequency.

Mapped to cyber:

  • We over-fear: nation-state APTs, zero-days, AI deepfakes.
  • We under-fear: lost laptops, phishing, weak passwords, unpatched servers — the boring stuff that actually compromises most orgs.
  • Verizon's DBIR consistently shows >80% of breaches involve commodity techniques (credential stuffing, phishing, mis-configurations), not zero-days.

Why risk management exists: to force the decision-making lens off the dramatic and onto the expected annual loss in CHF, which equalises the field. The whole point of quantifying risk is to fight intuition's overweighting of the scary-but-rare.

Tip: When a security headline grips a team, ask: "What's the FAIR-style annualised loss from this versus what we already have on our top-10 list?" — usually that flattens the panic.

From Quiz: ISF / Risk Management | Updated: May 31, 2026