In all sorts of contexts, we often focus or obsess about the wrong things. We fear flying more than the road trip to/from the airport. We are terrified of cancer, but tolerate obesity and do our level best to ignore heart disease. We are petrified of driverless vehicles, while downplaying their safety, economic and social advantages relative to human-driven vehicles. "Foreigners" (especially Russians and Chinese, it seems) and terrorists are clearly out to get us, more so than our own governments, our friends and relatives, and just about everyone else for that matter, including ourselves! Gun-ownership is fine but guns are dangerous. Cellphone masts are patently evil (especially in/near schools), whereas the cellphones clasped to our heads or pocketed next to our crown jewels are good ...
Seems to me this is a widespread issue with risk management in general, including but going well beyond information risk management. It’s a sad indictment of our profession, too. We’re often wrong when we identify and prioritize the risks, or the constituent threats, vulnerabilities and impacts. Hence we’re often pushing the wrong controls, or ‘playing it safe’ by pushing and wasting effort & money on unnecessary controls when we perhaps ought to be focusing more on the truly necessary/critical ones. We promote IDS/IPS and SIEM and a million other shiny high-tech controls while neglecting backups, policies, awareness and training - the basics, fundamentals really.
So, on that premise, what is the alternative, the antidote? What if anything can we do about it? Here are nine non-exclusive approaches that occur to me, with a few cynical comments as I mull this over:
- Data-driven risk management, using data on actual incidents to assess risks and prioritize them more rationally (hmmm, this implies a historical bias, and a bias towards recognized/known incidents. And we probably lack sufficient data anyway. Oh and the Global Financial Crisis demonstrated how easy it is to get carried away by our own presumed competence)
- Find/invent better risk management methods … (good luck!)
- … and apply the methods more rigorously (doing a fundamentally broken process well doesn’t get us anywhere much though, except that it perhaps encourages us to improve systematically and acknowledge the limitations)
- Baseline or standardized security: put in place the basic controls that are generally accepted as being necessary (but if we are all deluded about the risks, what help is that? I guess it relieves us of thinking about the basics, leaving more head space for the remainder)
- Just do the best we can, but be more realistic about our limitations. Acknowledge that our controls – including risk management as a whole - are fallible, so emphasize incident management, resilience, recovery and contingency approaches (like, errr, reliable off-line backups to recover from ransomware and Windows updates [much the same thing!]. Oh oh.)
- Worry or obsess about everything. Control everything. Make security so tight the business squeaks. Be genuinely shocked when something big breaks spectacularly. (Snowden!)
- Downplay or ignore this issue. Put head in sand. Close eyes and stick fingers in ears, chanting la-la-la. Pretend that we’re on top of things, hoping that someone else will fix this (nonexistent) issue before we get hit hard. (Prepare excuses and maintain Curriculum Vitae)
- Take ourselves out of the loop. Hand this over to the robots. Hope that AI trumps wetware. (Hinson tip: this is the way of the future, like it or not)
- Make a serious, conscious effort to identify and counteract human biases, prejudices and blind-spots, including our own. Become more self-aware. (Think on!)
And before anyone comments, I appreciate that, as an infosec pro, I too am part of the problem but at least I'm contemplating solutions.
PS This piece was prompted by a BBC article about squirrels being more of a threat to the US critical national infrastructure than terrorists and a troll on the security metrics mailing list who plaintively insists he has a cunning new risk management method but refuses to tell us anything substantive about it.