In lieu of an abstract, here is a brief excerpt of the content:

43 “A word to the wise ain’t necessary—it’s the stupid ones that need the advice.” —Bill Cosby Risk is an extremely important aspect of the process of protecting against identity theft, because the level of perceived risk from the threat of identity theft determines how much time, effort and money should be spent to reduce this risk. If the risk is perceived to be low, then the resources that should be expended to address the threat are less than if the risk is perceived to be high. This chapter explores different aspects of risk as they pertain to identity theft and fraud, including definitions, perceptions, impact and likelihood of risky events, risk mitigation and, finally, the implications of identity theft on trust. Risk, Identity Theft and Fraud Risk is defined as a state of uncertainty where some of the possibilities involve a loss, catastrophe or other undesirable outcome (Hubbard 2007: 46). In turn, uncertainty is defined as the lack of complete certainty, or the existence of more than one possibility of occurrence, and the ‘true’ outcome is not known in advance. It is possible to have uncertainty without risk, but not risk without uncertainty. Risk may be measured or estimated where there is a set of possibilities, each with quantified probabilities and quantified Chapter 3 Risk and Trust 44 | Identity Theft and Fraud losses. An example: based on a statistical survey, there is a probability of 0.0001 that a consumer will experience some sort of identity fraud in the next year. If such an event occurs, the consumer will spend an average of twenty hours trying to clear the problem. That is, a consumer runs a 0.0001 probability of losing twenty hours due to identity theft during the next year. Assuming that time is worth $20 per hour to the consumer, the cost of such an event would be $400. Multiplying together the probability of the event and the amount lost if the event occurs gives an expected risk of $0.04 (just four cents). Technically speaking, this is the expected dollar loss to a consumer from identity fraud this year. This number seems small to a consumer until it actually happens to the individual; then it looms much larger. But this number is meaningless unless it is compared with the same values calculated for other identity risks that might also occur at the same time. With reference to other possible risks, the larger this product is, the more attention should be paid to reducing (mitigating) it. Although people cannot always determine whether a potential negative event will in fact occur, we increasingly seem to feel that we must act as though we can. As Schneier (Schneier 2003) explains, “People worry about airplane crashes not because we cannot stop them, but because we think as a society we should be capable of stopping them (even if that is not really the case).” Our perceptions of risk, combined with our desire to manage risk, are factors that help to make decisions that are designed to prevent any actual or perceived harm. Risk perception is often very different (either more or less so) than actual risk in the view of the public. There are a variety of reasons why this is so (Gilbert 2006; Schneier 2003: 26-27): • People overreact to intentional actions and underreact to accidents, abstract events and natural phenomena (e.g., terrorist threats using biological warfare, with annual death tolls near zero, as compared to the normal incidence of influenza, which annually kills thousands). [18.226.177.223] Project MUSE (2024-04-25 17:27 GMT) Risk and Trust | 45 • People overreact to acts that they feel are offensive, such as political corruption, whereas they might not react at all to small acts of income tax evasion by common people , even if they cumulatively amount to much greater losses to the government. • People overreact to immediate threats and underreact to long-term threats. This is what leads to managers insisting on diligently searching out and blocking physical threats to a computer centre, while giving less attention to long-term but low-probability online security threats that could ultimately bankrupt the company if they actually occurred. • People underreact to changes that occur slowly and over time. As the number of identity thefts and frauds increases slowly over the years, management begins to recognize that there is a potential threat to the organization , but may decide against providing the level of security needed to defend against...

Share