Archive

Posts Tagged ‘fear’

The Placebo Effect of FUD

December 16th, 2010 No comments

The Placebo Effect

Irving Kirsch, psychologist at the University of Connecticut, and Guy Sapirstein did several experiments on the effectiveness of the placebo effect.

[Irving Kirsch] and Guy Sapirstein analyzed 19 clinical trials of antidepressants and concluded that the expectation of improvement, not adjustments in brain chemistry, accounted for 75 percent of the drugs’ effectiveness (Kirsch 1998).  ”The critical factor,” says Kirsch, “is our beliefs about what’s going to happen to us. You don’t have to rely on drugs to see profound transformation.” In an earlier study, Sapirstein analyzed 39 studies, done between 1974 and 1995, of depressed patients treated with drugs, psychotherapy, or a combination of both. He found that 50 percent of the drug effect is due to the placebo response.

The problem is that “all placebo effects eventually wear off, thus making the placebo effect impractical for long term or chronic medical matters.”

Fear, Uncertainty, Doubt

In the same way, the information security industry, and arguably the nation-state at large, regularly uses fear, uncertainty, and doubt – or F.U.D. – as a method of enticing people to take certain actions/reactions.  We take this easy way out because it’s a lot easier to tell a scary story than to explain the complexities of reality.

A large data breach happens and it cases a state of fear that, for a short term, triggers a fight-or-flight response.  Some people will use this to reign in new regulation, laws, or increased spending.  We saw this in response to 9-11 and we see it every day in businesses.

The problem with this method, aside from the ethical issues with its use, is that, like the placebo effect, it eventually wears off and thus is ineffective for long term use.  At which point, you either need to reinforce the fear, which typically leads to acceptance (sometimes in the form of cynicism), or you need to replace the placebo of fear with facts.

P.T.S.D. and Data Breaches

Cognitive behavioral therapy is a well known and accepted method for dealing with post traumatic stress disorder (PTSD).  It works by slowly and gradually exposing the individual to a feared state in a safe and reassuring manner.  The old memories are not erased but the new memories are additive in providing a more positive association with the memory experience.  Reinforced FUD takes that same method but drives us in a regression path.  Instead of moving beyond the fear it reinforces it further driving it inward and eventually preventing the subject from functioning (rationally) all together.

Only reinforced facts about a situation can help enable individuals with the self confidence they need to survive potentially negative situations (such as a data breach) and move beyond them instead of reacting negatively to them.  Once armed with knowledge you can make rational decisions based on evidence rather than emotion and knee-jerk responses.

Equipped with knowledge and well reasoned data enables us to plan and prepare rather than always existing in a reactive state.

Measuring Risk

One way to arm ourselves with confidence is to measure the risk in a system so our response to securing it can be made in a planned manner.  When people discuss measuring risk there are a number of items that come to mind.  It is important to remember that we are not trying to measure technical risk, though that is one part of the equation.  We want to measure financial risk.  By measuring the financial risk that a system, department, or enterprise  exposes us to we can calculate and plan a method of securing the data.  This plan should take into account the financial liability or loss we are trying to avoid or mitigate.

This method differs from others in that it does not attempt to calculate the cost of a data loss per record, as that could vary based on the exposure in a system.  It does not attempt to calculate the technical risk of a system or department because that could have no direct correlation on the financial losses.  It does not attempt to calculate the value of the money spent, as without a threshold for success (or associated data breach) there is no way to optimize this measurement. The focus is entirely on the overall risk associate with data loss based on legal, regulatory, and operational costs.

Presently, we each need to create this calculation and thus reinvent the wheel for every environment, but why?

The risk of exposure should be accessible in data breach reports.  The cost of financial fines and/or penalties is publicly listed by the FTC and payment card brands.  The cost of state data-breach-notification costs is generally accepted within a range.  We know data breach statistics by industry and type of business.

Why can’t someone model this data in such a way that each organization can enter in their environmental attributes, adjust the risk levels as per their individual thresholds, and have it calculate a financial risk or exposure of each system, department, or enterprise?

It’s the future and it’s happening faster than we think.

Share
Categories: Risk Management Tags: , , , , , , , ,

Why fear the analyst?

March 9th, 2010 2 comments

Someone turned me on to this article on fearing the auditor which made me think of other information sources we might fear.  The author of that article claim there are three types of auditors: the good, the bad, and the ugly (ok, so I paraphrased.)

Variance in individual quality should be no surprise since we see this in just about every industry.  There are a range of skills in just about every profession including penetration testing, auditing, and yes analysts.  So let me propose that there are three types of analysts:

  1. Polar Bears: These are people who believe that polarizing the conversation is the best way to improve the industry.  They are masters of the catch phrase and speak only in sounds bites.  They survey a few people and make bold statements that reflect only one segment of the industry.  What they lack in substance and facts they make up for in cliches.
  2. Gold Mine Speculators: These are people who do not know what the actual answer is but they speculate, typically in 5-10 year projection statements.  They may be correct 25% of the time but that’s good enough.  If they are correct people call them visionaries; if they are not they pick a new industry and re-speculate.
  3. Educators: They understand that there is no one simple answer but that solutions are custom made and long term collaborations.  They are not in the news as much since they are not making polar speculative claims, but they help bring a holistic analysis of the options and present the pros/cons with every statement.

I like analysts but believe that in every profession one should “seek first to understand and then to be understood”.

Share
Categories: Security Tags: ,

Becoming Fearless: Deweaponizing Permanence

December 13th, 2009 No comments

(Re-post of an item written in June 2007)

The mind offers protectionism against our fears, but this can sometimes lead to stagnation. It’s not a voluntary act, but more a learned experience. The government is an expert at this art. The information security community leverages it to impose their will on the masses. They even have a term for it: FUD – fear, uncertainty, and doubt.

But better than any social experiment, our mind is a master of illusion and perception augmentation. We can see this easily in the movies we watch. Anyone watching a scary movie knows the point at which fear enters the picture. The camera closes in on a character leaving the viewer unable to see anything but their face. This triggers a reaction in the viewers mind about the infinite number of things that could befall this character. Out mind is almost trained to enumerate the fearful possibilities and recite them to ourselves.

Left unchecked, this fear can be debilitating. In its best forms we call it complacency and in its worst we call it insanity. So we build structures against such fear. We arm ourselves with weapons such as hope, faith, and through the lives of our heroes. Some religious groups will literally say they are “putting on the full armor or god” in order to do battle with the devil, for which fear is a material or mental manifestation.

One of these protective structures is permanence. We believe… we must believe that some things are permanent, even if just in the short term. We believe that we will live past tomorrow, or else people would do erratic things and chaos would ensue. We believe that we will grow old, or else we would never prepare for something we call ‘retirement’. We believe that strangers on the street will not randomly attack us, or else we would quickly become a society of roaming fear mongers. Society works because fear is contained and fed to us in only small and predictable doses. Fear can sometimes even make one feel safe and provide a central theme to unite a group of people.

What would happen if there was ever a loss of our beliefs or a fracture of the permanence that we so carefully rely on? Some might argue that chaos would follow and thus the argument for keeping people feeling safe and secure. But what about those things that cannot be controlled? The smaller things, that based on their very nature, no government or society can contain?

Things like a relationship break up, death in the family, divorce, pain, solitude, shame? The list goes on and on. These are things that cannot be controlled and thus cannot offer permanence. These are the things that Reinhold Niebuhr thought of when he wrote the Serenity Prayer.

accept the things I cannot change,
have courage to change the things I can
and have the wisdom to know the difference

I couple this with the quote from Fight Club that says, “It’s only after we’ve lost everything that we’re free to do anything.” Fear exists within us all and it’s only when you free yourself of it that you can ever accomplish the things you imagine and desire. It’s only after you know, not just acknowledge, that some day things will change. You will no longer like chocolate, you will want children, you will learn that you always wanted to be something you were not, and then you will die.

It’s only after we confront our fears and take action that we can ever move beyond our current state of mind. It’s only after we step out into the abyss with our eyes wide open that we can ever evolve into something more than we currently are.

Oscar Levant is quoted as saying “there is a fine line between genius and insanity.” I do not believe this means that genius is close to insanity, but that insanity can remove the barriers in ones mind and enable them to see beyond their current static form and imagine the impossible.

My favorite quote is that “nothing is impossible, the impossible just takes longer.” To say this and believe it is one step closer to deweaponizing permanence, and for me one step closer towards happiness.

Share
Categories: Chaordic Thought Tags: , , , , , , , , ,

Becoming Fearless: Make the unknown known

September 15th, 2009 No comments

Fearless is an interesting word, for in fact, in being fearless you are not without fear, rather you are withstanding fear. You are moving forward in spite of it. Writing a very short story requires a degree of fearlessness, and I think reading one does also. I have deep respect for the very short story for many reasons, perhaps most profoundly for its fearlessness.
–Meredith Pignon

One of the things about becoming fearless is embracing your fears and adjusting to them.  If your fear is writing then you should do it more and more until you think of it as an extension of your being.  If your new fear is getting published you need to do it more and more (even if just on your blog) so you can get over the feeling of fear associated with doing something new.

Remember buying your first house?  Remember buying your second?  Wasn’t it so much easier after you had been through the unknown once?  Easier that you had mapped out and faced those fears head on.  When it is the unknown that drives your fear, the way to overcome it is to make the unknown known.

Share
Categories: Chaordic Thought Tags: , , ,

Risk Management is a Utopian Kool-aid

May 5th, 2009 5 comments

Update: It should be noted that I am a believer in risk management, especially quantitative risk management, but simply want to highlight some of the effects that bounded rationality has on our ability to manage risk.  I want to push us towards a more optimized view of rationality and risk management.

When we think of how to protect our most sensitive data we have one of two approaches.  Security is a tactical approach and risk management is a strategic approach.  Security implies the implementation of sound risk management practices.  While technical people like to talk about ‘vulns’ it is the risk management people who wax philosophically about long term strategy, data centric vs system centric approaches, and drink from the fountain of Utopian kool-aid.

I too have paid my dues and talked about risk management in its perfect form.  This approach involves metrics, models, threat vectors, CIA triad, and a multitude of other factors.  Risk management was married long ago to the maiden of Capability and Maturity Models for long term vitality.  Combined, these two go hand in hand to protect data from the foes.  Or so the story goes.

Now, I’m not about to become a risk management heretic, but as Mahan Khalsa says in his infamous sales books, “let’s get real!”  One thing that risk management does not (typically) take into account is that people, humans, are irrational beings.  When it comes to assessing risk, managing hazards, making decisions, managing a crisis, navigating office politics, and altering perceptions we have a roadblock called emotion.  Within emotion are all the factors that influence our decision making capabilities, such as: fear, uncertainty, doubt, misdirection, and oh so many more.

History has shown that human fear the small possibility of a quick immediate death much more than the larger possibility of a long term slow death.  The World Health Organization (WHO) reported that from 2003 – 2009 the total number of global deaths from Avian Fluwas 257.  That’s not enough to even be a statistical anomaly but we saw it on cover of just about every magazine and newspaper around the world for a few months. The WHO does not even rank influenza, of any sort, in the top 10 causes of deathby the WHO.  In fact, chronic heart disease killed 7.2 million people in 2004, and road traffic accidents killed 1.27 million people.  We worry more about contracting a rare form of the flu and dying than we do of driving to the grocery store on a Friday night.

Proper MetriCon people might say that numbers don’t lie or have emotions, but the question is, “how good are those numbers?”  I recall one year an analyst group put out a press release saying that it costs companies $200 per lost credit card.  The following year many vendor companies ran with that number and sold their product as costing only $100 per record to protect.  This could result in a 50% savings.  The problem came the following year when the analyst firm revised their numbers to say that it only cost companies $80 per lost credit card.  (Numbers have been rounded and changed to protect their creators.)

I have been sold on the need for more metrics in risk management and security, but the problem is we need to temper our reaction to data the same way we wait for Service Pack 2 before purchasing software.

We need to temper our risk management approach to one that accepts the hesitation of people to make precise and accurate decisions, especially if they are not satisfying an immediate need.  I’ve spoken with many PCI Qualified Security Assessor (QSA) companies and many agree that companies focus on satisfying compliance first and push off risk management for a later date, that sometimes never arrives.  The economics do not even need to matter as long as the immediate need is being satisfied.

People would rather spend more money now to satisfy compliance even if they could spend less over the long term to pave the road for a sound security strategy.  Why?  Well, there are many reasons but some of them include:

  • High turnover
  • Annual management based objectives (MBOs)
  • Immediate need for “compliance”
  • Lack of enterprise visibility
  • Siloed departments/divisions
  • Lack of information/education

It is the lack of awareness, information, and education that causes many companies to ignore the long term death and focus on the short term threat.  This can be like putting a band-aid on a bloody stump and calling it a mere “flesh wound“.

We need to accept that people are going to make irrational decisions and devise new and creative ways to re-educate them about the decisions they are making.  I think that better and better metrics are certainly a way to get there, but we are a long way from the panacea of payment security and risk metrics.

Share
Categories: Risk Management Tags: , , , ,