Risk Analysis Gone Awry: Software Project Over-Confidence
Bruce Schneier has a fascinating article over on Wired, based on a study by Magne Jorgensen, about how the act of undergoing risk analysis on software projects actually leads to over-optimism and over-confidence.
Potential explanations all come from behavioral economics: cognitive biases that affect how we think and make decisions. (I’ve written about some of these biases and how they affect security decisions, and there’s a great book on the topic as well.)First, there’s a control bias. We tend to underestimate risks in situations where we are in control, and overestimate risks in situations when we are not in control. Driving versus flying is a common example. This bias becomes stronger with familiarity, involvement and a desire to experience control, all of which increase with increased risk analysis. So the more risk analysis, the greater the control bias, and the greater the underestimation of risk.
The second explanation is the availability heuristic. Basically, we judge the importance or likelihood of something happening by the ease of bringing instances of that thing to mind. So we tend to overestimate the probability of a rare risk that is seen in a news headline, because it is so easy to imagine. Likewise, we underestimate the probability of things occurring that don’t happen to be in the news. A corollary of this phenomenon is that, if we’re asked to think about a series of things, we overestimate the probability of the last thing thought about because it’s more easily remembered.
According to Jørgensen’s reasoning, people tend to do software risk analysis by thinking of the severe risks first, and then the more manageable risks. So the more risk analysis that’s done, the less severe the last risk imagined, and thus the greater the underestimation of the total risk.
The third explanation is similar: the peak end rule. When thinking about a total experience, people tend to place too much weight on the last part of the experience. In one experiment, people had to hold their hands under cold water for one minute. Then, they had to hold their hands under cold water for one minute again, then keep their hands in the water for an additional 30 seconds while the temperature was gradually raised. When asked about it afterwards, most people preferred the second option to the first, even though the second had more total discomfort. (An intrusive medical device was redesigned along these lines, resulting in a longer period of discomfort but a relatively comfortable final few seconds. People liked it a lot better.) This means, like the second explanation, that the least severe last risk imagined gets greater weight than it deserves.
Related posts:
- Freud & Versioned Development: Reducing Project Risk w/Psychology In Steve McConnell’s classic, ‘Rapid Development,’ he talks about the...
- Software Project Lessons from Michaelangelo My wife and I recently went to Italy and...
- Google Software in the Enterprise? Jason Hiner has a fascinating article at TechRepublic arguing that...
- Personal Development: The Next Level in Software I was on construx’s website the other day (Construx does...
- Product-Service Innovation: The Creative Project Manager (Part 1) Project managers are usually thought of as analytical types...
| | |      420 views |