Improvements Lie Between Theory and Reality
Every once in a while I come across something someone has written that really pokes my brain. When that happens I become obsessed and I allow myself to be consumed by whatever Google and Wikipedia dish out, which ultimately will lead to whatever articles or books I can get my hands on. The latest poking-prose is from Alex Hutton over on the Verizon Business Security Blog in a piece titled “Evidence Based Risk Management & Applied Behavioral Analysis.” At first, I wanted to rehash what I picked up from his post, but I think I’ll talk about where I ended up with it.
To set some perspective, I want to point out that people follow some repeatable process in their decisions. However, those decisions are often not logical or rational. In reality there is a varying gap between what science or logic would tell us to do and what we, as heuristic beings, actually do. Behavioral Economics, as Alex mentioned, is a field focused on observing how we make choices within an economics frame, and attempting to map out the rationale in our choices. Most of the advances in marketing are based on this fundamental approach – figure out what sells and use it to sell. I think accounting for human behavior is so completely under-developed in security that I’ve named this blog after it.
But just focusing on behaviors is not enough, we need context, we need a measuring stick to compare it again. We need to know where the ideal state lies so we know how we are diverging from it. I found a quote that introduces some new terms and summarized what I took away from Alex’s post. It’s from Stephen J. Hoch and Howard C. Kunreuther from the Wharton School and published in “Wharton on Making Decisions.” Within decision science (and I suspect most other sciences) there are three areas to focus the work to be done and it’s described like this:
The approach to decision making we are taking can be viewed at three different levels – what should be done based on rational theories of choice (normative models), what is actually done by individuals and groups in practice (descriptive behavior), and how we can improve decision making based on our understanding about differences between normative models and descriptive behavior (prescriptive recommendations).
From the view at my cheap seat, we stink at all three of these in infosec. Our goal is prescriptive recommendations, we want to be able to spend just enough on security and in the right priority. Yet our established normative models and our ability to describe behavior are lacking. We are stuck with this “do all of these controls” advice, without reason, without priority and without context. It just doesn’t get applied well in practice. So let’s back and look at our models (our theory). In order to develop better models, we need research and the feedback provided by evidence based risk management to develop what we should be doing in a perfect world (normative models). Then we need behavioral analysis to look at what we do in reality that works or doesn’t work (descriptive behavior). Because we will find that how we react to and mitigate infosec risks will diverge from a logical approach if we are able to define what a logical approach is supposed to look like in the first place.
Once we start to refine our normative models and understand the descriptive behavior, then and only then will we be able to provide prescriptive and useful recommendations.