Making Risks Visceral

Abstract risks don’t motivate action. “Someone could clone our access cards” is information. A video of a student walking into a server room with a cloned card is a budget line item.

The translation from abstract knowledge to felt urgency is a craft. It’s not manipulation — the risks are real. It’s communication that makes real risks real to decision-makers.

Why Abstraction Fails

Decision-makers discount abstract risks for predictable reasons:

Probability neglect: Low-probability risks feel negligible until they happen.

Availability bias: Risks that haven’t materialized feel less real than recent events.

Cognitive load: Abstract risks compete with concrete, immediate demands.

Diffuse accountability: If everyone is responsible, no one feels responsible.

Budget competition: Concrete projects beat abstract protections.

Security professionals know the risks. Decision-makers authorize the budgets. Bridging this gap requires translation.

Techniques for Viscerality

Demonstrations: Actually show the vulnerability being exploited. A video of access bypassed is more compelling than a report describing the vulnerability.

Controlled incidents: Red-team exercises that produce real (but controlled) disruptions demonstrate impact without actual harm.

Storytelling: Narratives about what happened elsewhere, or what could happen here, translated into local terms.

Simulations: Tabletop exercises that make decision-makers experience (in compressed form) the consequences of unprepared response.

Metrics with context: “47 vulnerabilities” is abstract. “47 ways someone could access our financial systems” is less abstract.

The Ethics of Viscerality

Making risks visceral raises ethical questions:

• Is it manipulative to stage demonstrations for emotional impact?
• When does “making it real” become fear-mongering?
• Who should control the narrative around organizational risks?
• Can viscerality be used to manufacture consent for unnecessary measures?

The answer depends on whether the underlying risks are real, the representations are accurate, and the proposed responses are appropriate.

Institutional Reception

Even visceral demonstrations can fail if:

• Leadership dismisses the demonstration as theatrical
• There’s no proposed solution (fear without action is just anxiety)
• The messenger lacks credibility
• Political dynamics prevent acknowledgment
• Acknowledging the risk creates liability

Viscerality is necessary but not sufficient. It must be combined with credibility, solutions, and political savvy.

Implications

• Security communication is a distinct skill from security implementation
• Understanding decision-maker psychology is essential for security professionals
• Demonstrations and exercises have communication value beyond training value
• Abstract risk reports may be insufficient for action

Open Questions

• When does making risks visceral cross into manipulation?
• How do you maintain urgency for risks that haven’t materialized?
• Can risks be made visceral without creating undue anxiety?
• What happens when viscerality is used for unnecessary measures?

See Also

• Invisibility of Infrastructure — why viscerality is necessary
• Security Debt — the risks that need to be made visible
• Red-Teaming as Pedagogy — demonstrations as both education and communication
• Moral Action Under Constraint — what viscerality is possible when you can’t reach decision-makers
• Publication vs Responsible Disclosure — publication as a tool for making risks visceral when private channels fail
• Trust Calibration — visceral demonstrations recalibrate trust faster than abstract reports