Update: It should be noted that I am a believer in risk management, especially quantitative risk management, but simply want to highlight some of the effects that bounded rationality has on our ability to manage risk.  I want to push us towards a more optimized view of rationality and risk management.

When we think of how to protect our most sensitive data we have one of two approaches.  Security is a tactical approach and risk management is a strategic approach.  Security implies the implementation of sound risk management practices.  While technical people like to talk about ‘vulns’ it is the risk management people who wax philosophically about long term strategy, data centric vs system centric approaches, and drink from the fountain of Utopian kool-aid.

I too have paid my dues and talked about risk management in its perfect form.  This approach involves metrics, models, threat vectors, CIA triad, and a multitude of other factors.  Risk management was married long ago to the maiden of Capability and Maturity Models for long term vitality.  Combined, these two go hand in hand to protect data from the foes.  Or so the story goes.

Now, I’m not about to become a risk management heretic, but as Mahan Khalsa says in his infamous sales books, “let’s get real!”  One thing that risk management does not (typically) take into account is that people, humans, are irrational beings.  When it comes to assessing risk, managing hazards, making decisions, managing a crisis, navigating office politics, and altering perceptions we have a roadblock called emotion.  Within emotion are all the factors that influence our decision making capabilities, such as: fear, uncertainty, doubt, misdirection, and oh so many more.

History has shown that human fear the small possibility of a quick immediate death much more than the larger possibility of a long term slow death.  The World Health Organization (WHO) reported that from 2003 – 2009 the total number of global deaths from Avian Fluwas 257.  That’s not enough to even be a statistical anomaly but we saw it on cover of just about every magazine and newspaper around the world for a few months. The WHO does not even rank influenza, of any sort, in the top 10 causes of deathby the WHO.  In fact, chronic heart disease killed 7.2 million people in 2004, and road traffic accidents killed 1.27 million people.  We worry more about contracting a rare form of the flu and dying than we do of driving to the grocery store on a Friday night.

Proper MetriCon people might say that numbers don’t lie or have emotions, but the question is, “how good are those numbers?”  I recall one year an analyst group put out a press release saying that it costs companies $200 per lost credit card.  The following year many vendor companies ran with that number and sold their product as costing only $100 per record to protect.  This could result in a 50% savings.  The problem came the following year when the analyst firm revised their numbers to say that it only cost companies $80 per lost credit card.  (Numbers have been rounded and changed to protect their creators.)

I have been sold on the need for more metrics in risk management and security, but the problem is we need to temper our reaction to data the same way we wait for Service Pack 2 before purchasing software.

We need to temper our risk management approach to one that accepts the hesitation of people to make precise and accurate decisions, especially if they are not satisfying an immediate need.  I’ve spoken with many PCI Qualified Security Assessor (QSA) companies and many agree that companies focus on satisfying compliance first and push off risk management for a later date, that sometimes never arrives.  The economics do not even need to matter as long as the immediate need is being satisfied.

People would rather spend more money now to satisfy compliance even if they could spend less over the long term to pave the road for a sound security strategy.  Why?  Well, there are many reasons but some of them include:

  • High turnover
  • Annual management based objectives (MBOs)
  • Immediate need for “compliance”
  • Lack of enterprise visibility
  • Siloed departments/divisions
  • Lack of information/education

It is the lack of awareness, information, and education that causes many companies to ignore the long term death and focus on the short term threat.  This can be like putting a band-aid on a bloody stump and calling it a mere “flesh wound“.

We need to accept that people are going to make irrational decisions and devise new and creative ways to re-educate them about the decisions they are making.  I think that better and better metrics are certainly a way to get there, but we are a long way from the panacea of payment security and risk metrics.