Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Upcoming SlideShare
Loading in...5
×
 

Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work

on

  • 247 views

However, what’s interesting is that the CISOs we spoke with say neither of these approaches ...

However, what’s interesting is that the CISOs we spoke with say neither of these approaches
effectively solves the problem. Quantitative risk analysis isn’t the end all, be all. Just because a
risk is scored at 98 out of 100 doesn’t mean it will be remediated. Besides cost, the business
significantly influences the decision of whether to spend money. And most surprising to us, in
the end, many CISOs told us they ignore all their own data, vendor input and pundit whitepapers
and made a gut decision.

Let’s be clear: Gut decisions are not useful. Very often they’re based on a confirmation bias, also
called confirmatory or “my side” bias. That’s the tendency for people to favor information that
confirms their preconceptions or hypotheses, regardless of whether the information is true. If
you have a confirmation bias that laptop theft is the largest concern, whether it is or not, you
will find a way to get disk encryption to be the highest-priority project.

Avoiding confirmation bias can be difficult. The first step is to realize that we’re all prone to it.
If you have a tendency to collect a lot of information and then ignore it, or always find yourself
debating the rest of the organization on which threats are most imminent, you may be more
susceptible than average. Try this exercise: Ask your peers to honestly assess whether they think you frequently make decisions based on gut instinct. Listen to what they say, and understand
that it’s almost impossible to build trust with an information source—such as your risk
assessment team—if you have this tendency.

Statistics

Views

Total Views
247
Views on SlideShare
247
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work Presentation Transcript

  • Copyright © 2010-2011 IANS. The contents of this presentation are confidential . All rights reserved. Confirmation Bias How to Stop Doing the Things in Security That Don't Work November 2011
  • 2Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Who am I? » Michael A. Davis – CEO of Savid Technologies • IT Security, Risk Assessment, Penetration Testing – Speaker • Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff » Savid Technologies – Risk Assessments, IT Security Consulting, Audit and Compliance
  • 3Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Author
  • 4Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Issue “Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“ Source: 2011 InformationWeek Strategic Security Survey, June 2011
  • 5Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Execs Are Paying Attention 0% 5% 10% 15% 20% 25% 30% 35% 40% Exec Involvement Budget Constraints 2010 2011 Source: Information Week Data Survey, 2011
  • 6Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. We Protect, They Are Criticized According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com) Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)
  • 7Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. We All Do Them Source: 2011 InformationWeek Analytics Strategic Security Survey 0% 10% 20% 30% 40% 50% 60% 70% 80% Yes No Don't Know % that perform Risk Assessments 2011 2010
  • 8Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Reality Source: 2011 InformationWeek Analytics Strategic Security Survey Very 30% Somewhat 67% Not At All 3% Risk Assessment Effectiveness
  • 9Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Complex IT Projects Fail - A lot Out Of 200 Multi-nationals: 67% Failed To Terminate Unsuccessful Projects 61% Reported Major Conflicts 34% Of Projects Were Not Aligned With Strategy 32% Performed Redundant Work 1 In 6 Projects Had A Cost Overrun Of 200%! Source: 2011 Harvard Business Review – Berlin Univ Technical survey
  • 10Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. T-Mobile CISO On Metrics “Security experts can't measure their success without security metrics, and what can't be measured can't be effectively managed.” ~ Bill Boni, VP of IS, T-Mobile USA
  • 11Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Why Do We Care? Management Asks: –“Are We Secure?” Without Metrics: –“Depends How You Look At It” With Metrics: –“Look At Our Risk Score Before This Project, It Dropped 15%. We Are More Secure Today Than Yesterday”
  • 12Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Metrics, We need metrics!
  • 13Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Where/What to measure Strategy/Governance Code Reviews, Project Risk Assessments, Exceptions/Waivers Tactical/Sec Ops Vuln Management, Patch Management, Incidents, etc. IS Budget Spending/employee Policy gaps in existence Industry Standards Adopted Awareness Plan % projects going through assessment process # of policy exceptions # of risk acceptances % project doing code reviews Error rates Freq of vuln assessment # outstanding vulns Rate of fixing Trend of incident response losses
  • 14Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Who are you? TCO Patch Latency SPAM/AV Stats
  • 15Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Examples of metrics Baseline Defenses Coverage (AV, FW, etc) – Measurement of how well you are protecting your enterprise against the most basic information security threats. – 94% to 98%; less than 90% cause for concern Patch Latency – Time between a patch’s release and your successful deployment of that patch. – Express as averages and criticality Platform Security Scores – Measures your hardening guidelines Compliance – Measure departments against security standards – Number of Linux servers at least 90% compliant with the Linux platform security standard
  • 16Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Phishing Still Works
  • 17Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Stop With The Confirmation Bias Risk Perception Is Bad –Tornado V. Kitchen Fire –Less Familiar Are Perceived As Greater Risk Favor Info That Match Preconceptions Cause And Effect Processing Correlation Does Not Equal Causation We Manage Risk Using Metrics That Don’t Matter
  • 18Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved.
  • 19Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Formula Of Successful Risk Management PBL = λ1 x p1 + λ2 x p2 + λ3 x p3
  • 20Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Hazard vs. Speculative Risk
  • 21Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Linking to Business Goals Copyright Carnegie Mellon SETI MOSAIC Whitepaper
  • 22Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Outcome Management Copyright Carnegie Mellon SETI MOSAIC Whitepaper
  • 23Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. It Is About Risk MANAGEMENT Effective Metrics Catalog Define: Category Metric How To Measure Purpose Of This Metric Target Audience Reporting Frequency/Period
  • 24Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. 5 Signs You Have a Confirmation Bias Using Quantitative Risk Scores To Make Decisions Look At Security Events Instead Of Probability Of Vulnerabilities Talk About Risk In Terms Of “Industry Data” Lack Of Risk Management Inability To Communicate Risk
  • 25Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Security Metric Gotchas Not Tracking Visibility –What % is the metric representing? –Develop baseline for acceptance Not Trending –Provide at least 4 previous periods and trend line Not Providing Forward Guidance –Red, Green, Yellow (Worse, Better, Same) Not Mapping To A Business goal Focusing on Hazard Risk Not Using Qualitative Metrics
  • 26Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo