Apr 17, 2017 United Airlines, Emotional Intelligence, and Risk Assessment
As pretty much everyone on the planet knows by now, last week when footage of a passenger being forcibly removed from his seat by security at the request of United Airlines went viral, United’s stock price imploded, slashing the company’s market capitalization by $800 million. The stock rebounded slightly during the week, limiting the loss to $250,000,000 by late Thursday.
Most onlookers agreed that United’s actions before, during, and after the incident reflected stunning tone-deafness. And they’re right. Regardless of the particulars of the situation, it’s jaw-droppingly stupid to drag a screaming, bleeding passenger down the aisle, then offer an airy non-apology for the Orwellian-sounding “re-accommodation”.
But there’s more to the picture than that. What looks like institutional tone-deafness is actually a manifestation of low “emotional IQ” (EIQ) at both the individual and the institutional levels.
And what’s interesting about that, in turn, is that it allows us to compute the actual cost of low EIQ in a way that’s been difficult until now. We can now say that low EIQ can cost a company $250 million or more, and point to United as an example. That makes low EIQ a business risk on par with cybersecurity breaches: The Sony breach back in 2017, widely cited as one of the worst all-time breaches, was estimated to cost the company a “mere” $170 million.
So far so good. But consider this: Enterprise organizations invest billions of dollars in cybersecurity.
Financial analysts estimate that the cybersecurity market will grow from $122 billion in 2016 to $202 billion by 2021. It’s not unusual for a large enterprise to invest $10 million or more in cybersecurity per year; enterprise organizations spent an average of $1,053 per employee per year on cybersecurity in 2016.
How much are they spending on EIQ? I have no idea, but I’ll go waaaaaay out on a limb here and suggest it’s nowhere near that much. In fact, it’s very likely a big fat goose-egg.
And that’s a huge problem, because the institutional risk posed by low EIQ is financially comparable to the risk posed by a cybersecurity attack, says Maria Lopez, VP of financial compliance and risk at a major bank (she requested anonymity for her employer). Lopez was the one to draw my attention to the relationship between United, EIQ, and cybersecurity risk.
In other words, there’s a ginormous mismatch between the perceived risk posed by low EIQ (practically zero, given the amounts spent on it) and the perceived risk of cybsersecurity attacks (high and rising).
Why am I bringing this up? Because this is a very common problem. Institutions (and individuals) often grossly miscalculate relative risks. For instance, you’re six times as likely to die in a car crash as in a plane crash (computing likelihood either by hours or miles traveled). But most of us think nothing of driving to the airport, yet get butterflies in our stomachs when the plane takes off. (By the way, that’s also a misapprehension of risk: You’re 3.6 times more likely to experience an accident while landing than upon takeoff, with 43% of airline accidents occurring at landing, versus just 12% on takeoff. But I digress!)
The point is, we cybersecurity professionals need to be cognizant of the broader world of risk in which we operate. In a world in which low EIQ can cost a company more than a full-on cybersecurity attack, it may make sense to rethink how we allocate corporate resources.
I’m not suggesting anyone cut cybersecurity budgets; in fact, I believe that most organizations are woefully underfunded when it comes to cybersecurity. But maybe we should spare some cycles to think about how we can better protect against the cost of low EIQ. Because one thing’s for certain: United is hardly the only company suffering from this problem. And the fix is neither cheap nor easy.