Home > Decisions, Psychology, Risk > A Call to Arms: It is Time to Learn Like Experts

A Call to Arms: It is Time to Learn Like Experts

November 23, 2011

I had an article published in the November issue of the ISSA journal by the same name as this blog post.  I’ve got permission to post it to a personal webpage, so it is now available here. 

The article begins with a quote:

When we take action on the basis of an [untested] belief, we destroy the chance to discover whether that belief is appropriate. – Robin M. Hogarth

That quote from his book, “Educating Intuition” and it really caught the essence of what I see as the struggles in information security.  We are making security decisions based on what we believe and then we move onto the Next Big Thing without seeking adequate feedback.  This article is an attempt to say that whatever you think of the “quant” side of information security needs to be compared to the what we have without quants – which is an intuitive approach.  What I’ve found in preparing for this article is that the environment we work in is not conducive to developing a trustworthy intuition on its own.  As a result, we have justification in challenging unaided opinion when it comes to risk-based decisions and we should be building feedback loops into our environment.

Have a read.  And by all means, feedback is not only sought, it is required.

Categories: Decisions, Psychology, Risk Tags:
  1. November 27, 2011 at 11:02 am

    Jay – I liked this article a lot.

    I can make a comparison to the retail loss prevention world. There is a clear division between a forwarding looking group of retailers & experts (Target, Best Buy, Wal-Mart, Proctor and Gamble, etc) from a loss prevention perspective, and others who are still using failed tactics from years ago (Sears, K-Mart, Toys R Us, etc).

    Which expert do you trust? And why? And where do you apply that focus in terms of picking the right strategy to move you forward. I think that’s what you were getting at in your article.

    Nicely done –

  2. November 29, 2011 at 8:25 am

    Great article. In struggling with establishing a security maturity model to help organizations make measured, and measurable, steps towards a more secure environment it is common to be challenged by “best practice” principles that may, or may not, be an appropriate allocation of limited resources. Understanding infosec decision making can go a long way toward guiding security programs toward a better investment in programs and initiatives. Thanks so much.

  1. November 28, 2011 at 9:26 am
Comments are closed.
%d bloggers like this: