This article on the affect heuristic was posted to the Security Metrics mailing list (highly recommended). I think it is important for people who are reporting on the potential risks of a system to understand this psychological phenomenon. It shouldn’t be dismissed as simply people are irrational and don’t understand statistics.

People believe that benefit and risk are intertwined. They think a highly beneficial thing is also a less risky thing even though you can have low risk and high risk things, both with great benefits. People also don’t know how to calculate risk in percentages. Absolute numbers seem to resonate. Security professionals may be rational about security measurement and risk but we need to remember that we are often communicating this to people who aren’t.