Andy Ellis (CSO, Akamai) - Humans and Risk

1. @CSOAndy Humans and Risk Andy Ellis @csoandy www.csoandy.com

2. @CSOAndy Why do people make incomprehensible decisions? SecurityProduct Owner Anyone can be a villain in someone’s story. Modal Bias!

3. @CSOAndy A business conversation? Here is my project. Is it safe? Here is my dangerous plan! Sign off on it! Here’s an ISO checklist! Fill it out! Justify infosec budget with this makework!

4. @CSOAndy A business conversation? What do these phrases mean? I can’t be bothered to understand this. We’ll fill it out for you. We’ll do the work, just give us more budget!

5. @CSOAndy A business conversation? Is it done yet? All I care about is my schedule. Why didn’t you use ChaCha20- Poly1305? I’m smarter than you are, and I know big words.

6. @CSOAndy A business conversation? Is that a showstopper? I’m going to do this no matter what…. No, but we don’t recommend launch. I’m just CYA over here. You’re fine, but I won’t admit it.

7. @CSOAndy Humans are at risk management. badatrociousawfulconfusingincompetentincomprehensiblehorribleperplexing____________ @CSOAndy

8. @CSOAndy Humans are at risk management. awesomeawful @CSOAndy

9. @CSOAndy Observe Orient Decide Act Attention Processing Executive Function Coordination O O D A #KeyTakeAway Decision Making: The OODA Loop @CSOAndy

10. @CSOAndy Why do people make decisions? “stupid”incomprehensible“bad” @CSOAndy

11. @CSOAndy CONSTRAINTS ATTENTION Proximity Novelty Urgency MODELS Context Framing Expectations RISKS Costs Fears Expected outcomes TRAINED RESPONSES Practice Repetitive Low risk HAZARDS Distributed social networks Fast information flow Virtual proximity Confirmation bubbles Hindsight expectations Obscure costs Complex returns Repurposed responses Dunning-Kruger O O D A The Power of Models

12. @CSOAndy CONSTRAINTS ATTENTION Proximity Novelty Urgency MODELS Context Framing Expectations RISKS Costs Fears Expected outcomes TRAINED RESPONSES Practice Repetitive Low risk HAZARDS Distributed social networks Fast information flow Virtual proximity Confirmation bubbles Hindsight expectations Obscure costs Complex returns Repurposed responses Dunning-Kruger O O D A The Power of Models

13. @CSOAndy Historical paranoia “Monkey on rope ladder” by Rachel Coleman Finch is licensed under Creative Commons 2.0 Generic | @CSOAndy

14. @CSOAndy Prisoner’s Dilemma Actual Prisoner’s Dilemma Different communities have different expectations! If we believe our “partner” will cheat on us, we’ll cheat first. Loyal Betray -3 -1 -3 -10-10 -5 -1 -5 30% 19% 13% 40% Loyal Betray Loyal Betray

15. @CSOAndy CONSTRAINTS ATTENTION Proximity Novelty Urgency MODELS Context Framing Expectations RISKS Costs Fears Expected outcomes TRAINED RESPONSES Practice Repetitive Low risk HAZARDS Distributed social networks Fast information flow Virtual proximity Confirmation bubbles Hindsight expectations Obscure costs Complex returns Repurposed responses Dunning-Kruger O O D A Risky Business

16. @CSOAndy Hazards used to be simple… @CSOAndy “Attention Walmart Shoppers” by Robert Couse-Baker is licensed under Creative Commons 2.0 Generic

17. @CSOAndy So we think risk calculations ought to be easy Loss $5M $5B Probability 10% / year .01% / year ALE $500K $500K Price of buying $50K $50K Maintenance $14K $14K Reduction in events 10% 10% Cost $26K / year $26K / year Risk Reduction $50K / year $50K / year Savings $24K / year $24K / year

18. @CSOAndy Qualitative Risk Matrix High Damage Moderate Damage Low Damage Very Likely Priority 1 Priority 2 Priority 5 Likely Priority 3 Priority 4 Priority 7 Unlikely Priority 6 Priority 8 Priority 9

19. @CSOAndy High Damage Moderate Damage Low Damage Very Likely Priority 1 Priority 5 Likely Unlikely Priority 6 Priority 9 Qualitative Risk Matrix

20. @CSOAndy … but now risks are more complex. Image Source: Jeep® @CSOAndy

21. @CSOAndy Cost Context Matters You are given one opportunity to play a game. A fair, 20-sided die will be rolled. You bet X; if your number is rolled, you keep your bet, and get back 20X; otherwise, you lose your bet. Your expected payout is thus 1.05. Would you bet $1? Would you bet $10? Would you bet $100? Would you bet $1,000? Would you bet $10,000? Would you bet $100,000? Would you bet $1,000,000?

22. @CSOAndy “You don’t know what you’ve got ‘til it’s gone.” @CSOAndy You value something by what you give up to get it.

23. @CSOAndy Peltzman Effect Coffey, Seamus. “The Peltzman Effect.” Microeconomics and Behaviour, October 2010, microeconomicsandbehaviour.blogspot.com/2010/10/peltzman-effect.html RISK REDUCTION PERCEIVED RISK

24. @CSOAndy CONSTRAINTS ATTENTION Proximity Novelty Urgency MODELS Context Framing Expectations RISKS Costs Fears Expected outcomes TRAINED RESPONSES Practice Repetitive Low risk HAZARDS Distributed social networks Fast information flow Virtual proximity Confirmation bubbles Hindsight expectations Obscure costs Complex returns Repurposed responses Dunning-Kruger O O D A The Spotlight

25. @CSOAndy

26. @CSOAndy@CSOAndy Image Source: Simons, D. J., & Chabris, C. F. (1999). Gorillas in our midst: Sustained inattentional blindness for dynamic events. Perception, 28, 1059-1074

27. @CSOAndy@CSOAndy

28. @CSOAndy

29. @CSOAndy CONSTRAINTS ATTENTION Proximity Novelty Urgency MODELS Context Framing Expectations RISKS Costs Fears Expected outcomes TRAINED RESPONSES Practice Repetitive Low risk HAZARDS Distributed social networks Fast information flow Virtual proximity Confirmation bubbles Hindsight expectations Obscure costs Complex returns Repurposed responses Dunning-Kruger effect O O D A The Response Playbook

30. @CSOAndy System 1 vs System 2 LEFT RIGHT LEFT RIGHT LEFT RIGHT LEFT RIGHT

31. @CSOAndy System 1 vs System 2 LEFT LEFT LEFT RIGHT RIGHT LEFT RIGHT RIGHT

32. @CSOAndy CONSTRAINTS ATTENTION Proximity Novelty Urgency MODELS Context Framing Expectations RISKS Costs Fears Expected outcomes TRAINED RESPONSES Practice Repetitive Low risk HAZARDS Distributed social networks Fast information flow Virtual proximity Confirmation bubbles Hindsight expectations Obscure costs Complex returns Repurposed responses Dunning-Kruger effect O O D A

33. @CSOAndy Humans are awesome at risk management. situationally @CSOAndy

34. @CSOAndy

35. @CSOAndy CONSTRAINTS ATTENTION Proximity Novelty Urgency MODELS Context Framing Expectations RISKS Costs Fears Expected outcomes TRAINED RESPONSES Practice Repetitive Low risk HAZARDS Distributed social networks Fast information flow Virtual proximity Confirmation bubbles Hindsight expectations Obscure costs Complex returns Repurposed responses Dunning-Kruger effect The End of the Right Situation? #KeyTakeAway O O D A

36. @CSOAndy Improvement through Adversarial Learning A D O O O O D A

37. @CSOAndy A D O OInjection Stealth Misdirection Maneuver O O D A OODA Attacks Mistakes Paralysis Distraction Blindness Complacency Confusion Ineptitude Surprising Misleading

38. @CSOAndy Improvement through Introspection A D O O O O D A

39. @CSOAndy OODA Improvements O O D A

40. @CSOAndy OODA Improvements O O D A Noise reduction Instrumentation Hazard review Model analysis Bayesian retrospection Planning Impact assessment Training

41. @CSOAndy@CSOAndy ANSWERS? Andy Ellis @csoandy www.csoandy.com

42. @CSOAndy Copyright Notification • Akamai Logo (Triple Wave Swoosh and Akamai Name) and Tagline are copyright and registered marks of Akamai. Slide template copyright Akamai. • All photos marked with copyright information, unless they are in the public domain. • All other content and assembly is licensed under the Creative Commons 2.0 Attribution License (CC-BY). Non-binding expression of intent: if you’re inspired by this, and just create your own, no attribution required. If you’re copying graphics, Stephanie Sullivan of Akamai is the originator. If you’re copying texts, Andy Ellis of Akamai is the originator. (Note: If you’re copying photos, their copyright holds).

Andy Ellis (CSO, Akamai) - Humans and Risk

You are reading a preview.

Check these out next

Andy Ellis (CSO, Akamai) - Humans and Risk

More Related Content

Similar to Andy Ellis (CSO, Akamai) - Humans and Risk (20)

More from Business of Software Conference (20)

Recently uploaded (20)