Four Myths of Risk
I love getting feedback, especially constructive feedback. Take this feedback from a friend who read my blog post “Grand Unifying Definition of Risk”,
“Way to go Jacobs… what a colossal waste of time. Way to blog about something nobody gives a crap about.”
I, of course, had some follow up questions and a healthy discussion ensued. I learned that my friend, who is by all accounts reasonably intelligent, saw no connections between that post and reality. What did I miss? What could I have done differently and where did his reality diverge from my post? Here are a series of myths that I uncovered in and since that conversation.
Myth 1:Risk belongs with a risk management group
Fact is, most everyone working in I.T. makes risk-based security decisions every project, everyday. It’s just that they don’t think of these things as “risk” decisions, they think of them as getting stuff done. Decisions are part of our daily experience but nobody gives much thought to the intuitive risk analysis that goes into each decision, and perhaps worse – nobody thinks about how they may improve on the analysis or those decisions.
The first step in addressing any problem is realizing that a problem exists. It’s more complicated in infosec because we all realize a problem exists, but we make the mistake of thinking hardware or the Next Best Thing will solve it rather than looking towards the people with fingers on the keyboards and what their decisions mean.
Myth 2: Spherical Cows are useless
When I pointed out the story of the spherical cow in this conversation, it struck home. According to my myopic friend, I was talking about theoretical blatherings that didn’t have any impact on reality. I don’t disagree, but the important distinction is not yet. We need to start with the theory and build from there.
I see this lack-of-reality when reading about decision theories which say things like “this method assumes that perfect data exists”. But there is a value in understanding how things work in situations with less variables before more complexity is introduced. Spherical cows are great theories for working out multiple ways (not) to solve a problem, just don’t assume the farmer will care. In other words, just because my reality has wacky theories doesn’t mean everyone else’s does too.
Myth 3: Can’t teach an old dog new tricks
Yeah, that’s a myth and you know who you are.
Myth 4: People Don’t Care
During the conversation, as I mentioned some new program or another, he said “you can’t implement a program to make people care.” Brilliant. Spot on and brilliant. Except people do care, a whole lot, just not always about the things we’d like them to care about. People care a about keeping their job, perhaps having good coffee in the break room, or going up north for the weekend. The trick to instigating positive change is aligning what people already care about with the positive change we are seeking. In other words, we shouldn’t just be figuring our how to write secure code, we should figure out what our developers care about and how that can be related to secure coding practices.
If anyone remembers what infosec was like in the 90’s but security back then was even more embarrassing than it is now. Recommending an internet facing firewall and having users change their default passwords were staples on the few security assessments performed back then. How did we go from there to huge stinkin’ security budgets and controls? Regulations, or more specifically, enforcement of regulations forced the alignment of (checklist) security with something they already care about: not getting fired, getting paid and still making it to lunch.
I can honestly say, that my theories of risk and security do not mean squat except to maybe a handful of people who largely want to assume with me that we exist in a vacuum without the influence of gravity. Once we get comfortable with the theory, then we can begin figuring out how to deal with the reality of people not giving a crap about it.