The Placebo Effect

Irving Kirsch, psychologist at the University of Connecticut, and Guy Sapirstein did several experiments on the effectiveness of the placebo effect.

[Irving Kirsch] and Guy Sapirstein analyzed 19 clinical trials of antidepressants and concluded that the expectation of improvement, not adjustments in brain chemistry, accounted for 75 percent of the drugs’ effectiveness (Kirsch 1998).  “The critical factor,” says Kirsch, “is our beliefs about what’s going to happen to us. You don’t have to rely on drugs to see profound transformation.” In an earlier study, Sapirstein analyzed 39 studies, done between 1974 and 1995, of depressed patients treated with drugs, psychotherapy, or a combination of both. He found that 50 percent of the drug effect is due to the placebo response.

The problem is that “all placebo effects eventually wear off, thus making the placebo effect impractical for long term or chronic medical matters.”

Fear, Uncertainty, Doubt

In the same way, the information security industry, and arguably the nation-state at large, regularly uses fear, uncertainty, and doubt – or F.U.D. – as a method of enticing people to take certain actions/reactions.  We take this easy way out because it’s a lot easier to tell a scary story than to explain the complexities of reality.

A large data breach happens and it cases a state of fear that, for a short term, triggers a fight-or-flight response.  Some people will use this to reign in new regulation, laws, or increased spending.  We saw this in response to 9-11 and we see it every day in businesses.

The problem with this method, aside from the ethical issues with its use, is that, like the placebo effect, it eventually wears off and thus is ineffective for long term use.  At which point, you either need to reinforce the fear, which typically leads to acceptance (sometimes in the form of cynicism), or you need to replace the placebo of fear with facts.

P.T.S.D. and Data Breaches

Cognitive behavioral therapy is a well known and accepted method for dealing with post traumatic stress disorder (PTSD).  It works by slowly and gradually exposing the individual to a feared state in a safe and reassuring manner.  The old memories are not erased but the new memories are additive in providing a more positive association with the memory experience.  Reinforced FUD takes that same method but drives us in a regression path.  Instead of moving beyond the fear it reinforces it further driving it inward and eventually preventing the subject from functioning (rationally) all together.

Only reinforced facts about a situation can help enable individuals with the self confidence they need to survive potentially negative situations (such as a data breach) and move beyond them instead of reacting negatively to them.  Once armed with knowledge you can make rational decisions based on evidence rather than emotion and knee-jerk responses.

Equipped with knowledge and well reasoned data enables us to plan and prepare rather than always existing in a reactive state.

Measuring Risk

One way to arm ourselves with confidence is to measure the risk in a system so our response to securing it can be made in a planned manner.  When people discuss measuring risk there are a number of items that come to mind.  It is important to remember that we are not trying to measure technical risk, though that is one part of the equation.  We want to measure financial risk.  By measuring the financial risk that a system, department, or enterprise  exposes us to we can calculate and plan a method of securing the data.  This plan should take into account the financial liability or loss we are trying to avoid or mitigate.

This method differs from others in that it does not attempt to calculate the cost of a data loss per record, as that could vary based on the exposure in a system.  It does not attempt to calculate the technical risk of a system or department because that could have no direct correlation on the financial losses.  It does not attempt to calculate the value of the money spent, as without a threshold for success (or associated data breach) there is no way to optimize this measurement. The focus is entirely on the overall risk associate with data loss based on legal, regulatory, and operational costs.

Presently, we each need to create this calculation and thus reinvent the wheel for every environment, but why?

The risk of exposure should be accessible in data breach reports.  The cost of financial fines and/or penalties is publicly listed by the FTC and payment card brands.  The cost of state data-breach-notification costs is generally accepted within a range.  We know data breach statistics by industry and type of business.

Why can’t someone model this data in such a way that each organization can enter in their environmental attributes, adjust the risk levels as per their individual thresholds, and have it calculate a financial risk or exposure of each system, department, or enterprise?

It’s the future and it’s happening faster than we think.