jump to navigation

Who’s Risk Is It Anyway? June 6, 2016

Posted by wastedspacer in IT Security, Notable Incidents, Risk, Social State, Spam, SPIM and other annoyances, Technologies.
Tags: , , , , , ,
add a comment

Nolan GouldHuman beings as a species are generally terrible at rationally assessing risk. This is particularly apparent when we consider basic everyday risks as well as common threats and risk from an IT security standpoint.

All thanks to the media, blogs, viral videos and security services the general public substantially overestimate the likelihood of spectacular, headline-worthy catastrophes.  At the same time completely ignoring many extreme dangers posed by common, everyday activities.

A prime example of this irrationality is a fear of flying. Fueled by news reports citing terrorism, bomb-threats, near misses as well as mysterious or even spectacular plane crashes. Other perceived threat vectors come from government agencies with a stated vested interest in keeping us safe (and of course themselves funded). Consequently, airport security screening services further amplify this level of latent terror for the misinformed traveler.

The end-result, we in the US put up with paying(as of 2015) another $7 Billion in taxes and even more added to the cost an airline ticket for the illusion of feeling safe. As the former FBI assistant director when asked about an effective method to fund anti-terrorism he put it thus: “Keep Fear Alive”. The FBI can’t even explain their success metrics around the perceived “war on terrorism”. The only real measurement we appear to fall back on is when the security fails! The only answer seems to be: we need to spend more!

Tragically, this appears to be a similar rhetoric that the terrorists themselves use to measure how effective their terrorism is on their intended target populations. The more perceived threats and the larger the anti-terror agencies become the more apparent they are as they broadcast the potential threats posed by future terrorism! Aside from the actual heinous terrorist attacks, the terrorist organization perhaps measures their success by how much additional chaos, media coverage, public inconvenience, fear and growth in anti-terror security services their actions are catalysts for.

Shocking airborne terrorist attacks such as 9/11 understandably leave the vast majority of our world population with a “never again” security-at-all-costs attitude.  Although the total number of people ever wounded or killed by terrorism on air travel is many orders of magnitude less than the number of victims by “ordinary” dangers driving to and from the airport.  Consider events such as having a blow-out or hitting a (deer, cow, dog, pothole) or being hit by (distracted driver, truck, road debris) when driving to the airport, all of these have serious or even lethal consequences to 1000s of travelers every year.

From a pure risk/value/mitigation assessment seems like an absurd disparity we could dramatically reduce the overall risk simply paying a little more money to fix potholes. Our collective thinking is habituated and skewed by sheer terror, amplified by sensational media coverage, augmented by continual terrorist rhetoric and supplemented by security agency threat alerts. As a result the perceived terror risks are far more salient and likely than reality. Consequently we are collectively convinced that it is worth standing up and funding entire government security agencies to combat the potential threats!


Keeping “Little Jimmy” safe!

As a general rule most individuals underestimate the risks for which there is a perceived benefit to the individual. The intended achievement of a laudable goal (or simply what’s in it for me) often creates tunnel vision where many risks are ignored or at least not adequately considered in context. Consider first-time parents of a small child they need to start taking to kindergarten. They logically purchase a very large SUV, perhaps a Chevy Suburban so that “little Jimmy” can be safe. What they understandably fail to consider is the consequences when the brakes fail on the Suburban. A smaller vehicle would simply bounce off the curb, the airbags would deploy and perhaps some minor injuries. With the height and gross tonnage of the Suburban however, it bounces over the curb and through the wall into the classroom killing six of little Jimmy’s classmates!


At least “Little Jimmy” was safe!

A less contentious example is the inevitable project management by dashboard method where NOT delivering on-time and on-budget are the only perceived risks. This conversely leads to the introduction of greater or imaginary risks for activities that have no perceived upside. The perfect IT security solution is a prime example where the pinnacle of success can be measured by “nothing bad happened today”!

We tend to mostly ignore or underestimate the less controllable risks in IT security. For example consider how easily can anyone in our organization get phished, scammed or inadvertently disclose sensitive information? We have awareness training for that but how easily or accurately can it be measured?  A number of security solution providers have a large marketing budget supporting products they can sell you to manage areas, functions and individuals you already have a degree of control over. But what happens when the actual threat is the password that’s shared with a spouse then used and inadvertently disclosed outside the organization? How can their solution address that?

The bottom line is that assessing risk can only be a general guide and not absolute. Perhaps risk assessment is more akin to Heisenburg’s Uncertainty Principle. A thorough unbiased quantitative risk assessment can certainly give a bottom-line risk score but as soon as it is observed and the results consumed by you, me or anyone else, each score will probably be different.