SlideShare a Scribd company logo

Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work

Michael Davis
Michael Davis

This document summarizes a presentation about overcoming confirmation bias in security. The presentation discusses how security professionals often rely on metrics that don't provide useful information for managing risk. It advocates developing quantitative risk scores linked to business goals to make better risk management decisions. The presentation also warns against signs of confirmation bias, like only looking at past security events rather than probability of vulnerabilities, and provides tips for creating effective security metrics.

Technology
1 of 26
Download to read offline
Copyright © 2010-2011 IANS. The contents of this presentation are confidential . All rights reserved. Confirmation Bias How to Stop Doing the Things in Security That Don't Work November 2011
2Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Who am I? » Michael A. Davis – CEO of Savid Technologies • IT Security, Risk Assessment, Penetration Testing – Speaker • Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff » Savid Technologies – Risk Assessments, IT Security Consulting, Audit and Compliance
3Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Author
4Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Issue “Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“ Source: 2011 InformationWeek Strategic Security Survey, June 2011
5Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Execs Are Paying Attention 0% 5% 10% 15% 20% 25% 30% 35% 40% Exec Involvement Budget Constraints 2010 2011 Source: Information Week Data Survey, 2011
6Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. We Protect, They Are Criticized According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com) Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)
7Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. We All Do Them Source: 2011 InformationWeek Analytics Strategic Security Survey 0% 10% 20% 30% 40% 50% 60% 70% 80% Yes No Don't Know % that perform Risk Assessments 2011 2010
8Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Reality Source: 2011 InformationWeek Analytics Strategic Security Survey Very 30% Somewhat 67% Not At All 3% Risk Assessment Effectiveness
9Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Complex IT Projects Fail - A lot Out Of 200 Multi-nationals: 67% Failed To Terminate Unsuccessful Projects 61% Reported Major Conflicts 34% Of Projects Were Not Aligned With Strategy 32% Performed Redundant Work 1 In 6 Projects Had A Cost Overrun Of 200%! Source: 2011 Harvard Business Review – Berlin Univ Technical survey
10Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. T-Mobile CISO On Metrics “Security experts can't measure their success without security metrics, and what can't be measured can't be effectively managed.” ~ Bill Boni, VP of IS, T-Mobile USA
11Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Why Do We Care? Management Asks: –“Are We Secure?” Without Metrics: –“Depends How You Look At It” With Metrics: –“Look At Our Risk Score Before This Project, It Dropped 15%. We Are More Secure Today Than Yesterday”
12Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Metrics, We need metrics!
13Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Where/What to measure Strategy/Governance Code Reviews, Project Risk Assessments, Exceptions/Waivers Tactical/Sec Ops Vuln Management, Patch Management, Incidents, etc. IS Budget Spending/employee Policy gaps in existence Industry Standards Adopted Awareness Plan % projects going through assessment process # of policy exceptions # of risk acceptances % project doing code reviews Error rates Freq of vuln assessment # outstanding vulns Rate of fixing Trend of incident response losses
14Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Who are you? TCO Patch Latency SPAM/AV Stats
15Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Examples of metrics Baseline Defenses Coverage (AV, FW, etc) – Measurement of how well you are protecting your enterprise against the most basic information security threats. – 94% to 98%; less than 90% cause for concern Patch Latency – Time between a patch’s release and your successful deployment of that patch. – Express as averages and criticality Platform Security Scores – Measures your hardening guidelines Compliance – Measure departments against security standards – Number of Linux servers at least 90% compliant with the Linux platform security standard
16Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Phishing Still Works
17Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Stop With The Confirmation Bias Risk Perception Is Bad –Tornado V. Kitchen Fire –Less Familiar Are Perceived As Greater Risk Favor Info That Match Preconceptions Cause And Effect Processing Correlation Does Not Equal Causation We Manage Risk Using Metrics That Don’t Matter
18Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved.
19Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Formula Of Successful Risk Management PBL = λ1 x p1 + λ2 x p2 + λ3 x p3
20Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Hazard vs. Speculative Risk
21Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Linking to Business Goals Copyright Carnegie Mellon SETI MOSAIC Whitepaper
22Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Outcome Management Copyright Carnegie Mellon SETI MOSAIC Whitepaper
23Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. It Is About Risk MANAGEMENT Effective Metrics Catalog Define: Category Metric How To Measure Purpose Of This Metric Target Audience Reporting Frequency/Period
24Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. 5 Signs You Have a Confirmation Bias Using Quantitative Risk Scores To Make Decisions Look At Security Events Instead Of Probability Of Vulnerabilities Talk About Risk In Terms Of “Industry Data” Lack Of Risk Management Inability To Communicate Risk
25Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Security Metric Gotchas Not Tracking Visibility –What % is the metric representing? –Develop baseline for acceptance Not Trending –Provide at least 4 previous periods and trend line Not Providing Forward Guidance –Red, Green, Yellow (Worse, Better, Same) Not Mapping To A Business goal Focusing on Hazard Risk Not Using Qualitative Metrics
26Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo

Recommended

2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015Robin "Montana" Williams
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistMatthew Rosenquist
 

Recommended

2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015Robin "Montana" Williams
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistMatthew Rosenquist
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Matthew Rosenquist
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...IBM Security
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Hpe security research cyber risk report 2016
Hpe security research cyber risk report 2016Hpe security research cyber risk report 2016
Hpe security research cyber risk report 2016at MicroFocus Italy ❖✔
 
HPE Security Report 2016
HPE Security Report 2016HPE Security Report 2016
HPE Security Report 2016Hewlett Packard Enterprise Business Value Exchange
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial InstitutionsKhawar Nehal khawar.nehal@atrc.net.pk
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Confirmation bias
Confirmation bias Confirmation bias
Confirmation bias yongseenyee
 
Project 2 : Confirmation Bias
Project 2 : Confirmation BiasProject 2 : Confirmation Bias
Project 2 : Confirmation BiasAzeem Banatwala
 
Confirmation Bias & its applications in Marketing
Confirmation Bias & its applications in MarketingConfirmation Bias & its applications in Marketing
Confirmation Bias & its applications in MarketingKashyap Shah
 

More Related Content

What's hot

Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Matthew Rosenquist
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...IBM Security
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 

What's hot (19)

Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Hpe security research cyber risk report 2016
Hpe security research cyber risk report 2016Hpe security research cyber risk report 2016
Hpe security research cyber risk report 2016
 
HPE Security Report 2016
HPE Security Report 2016HPE Security Report 2016
HPE Security Report 2016
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 

Viewers also liked

Confirmation bias
Confirmation bias Confirmation bias
Confirmation bias yongseenyee
 
Project 2 : Confirmation Bias
Project 2 : Confirmation BiasProject 2 : Confirmation Bias
Project 2 : Confirmation BiasAzeem Banatwala
 
Confirmation Bias & its applications in Marketing
Confirmation Bias & its applications in MarketingConfirmation Bias & its applications in Marketing
Confirmation Bias & its applications in MarketingKashyap Shah
 
Social Psychology Presentation- Confirmation Bias
Social Psychology Presentation- Confirmation BiasSocial Psychology Presentation- Confirmation Bias
Social Psychology Presentation- Confirmation BiasHannahAshburn
 
SXSW 2016: Confirmation Bias: Innovation's Blind Eye
SXSW 2016: Confirmation Bias: Innovation's Blind EyeSXSW 2016: Confirmation Bias: Innovation's Blind Eye
SXSW 2016: Confirmation Bias: Innovation's Blind EyeAllison Abbott
 
Top gun binary opposites
Top gun binary oppositesTop gun binary opposites
Top gun binary oppositesEllieBeazley
 
Sense Perception
Sense PerceptionSense Perception
Sense Perceptionalgrant
 
Alternative Facts, Fake News, Confirmation Bias & the Post-Truth World
Alternative Facts, Fake News, Confirmation Bias & the Post-Truth WorldAlternative Facts, Fake News, Confirmation Bias & the Post-Truth World
Alternative Facts, Fake News, Confirmation Bias & the Post-Truth WorldNicoleBranch
 

Viewers also liked (11)

Confirmation bias
Confirmation bias Confirmation bias
Confirmation bias
 
Project 2 : Confirmation Bias
Project 2 : Confirmation BiasProject 2 : Confirmation Bias
Project 2 : Confirmation Bias
 
Confirmation Bias & its applications in Marketing
Confirmation Bias & its applications in MarketingConfirmation Bias & its applications in Marketing
Confirmation Bias & its applications in Marketing
 
Confirmation bias
Confirmation biasConfirmation bias
Confirmation bias
 
Social Psychology Presentation- Confirmation Bias
Social Psychology Presentation- Confirmation BiasSocial Psychology Presentation- Confirmation Bias
Social Psychology Presentation- Confirmation Bias
 
SXSW 2016: Confirmation Bias: Innovation's Blind Eye
SXSW 2016: Confirmation Bias: Innovation's Blind EyeSXSW 2016: Confirmation Bias: Innovation's Blind Eye
SXSW 2016: Confirmation Bias: Innovation's Blind Eye
 
Reciprocity
ReciprocityReciprocity
Reciprocity
 
Top gun binary opposites
Top gun binary oppositesTop gun binary opposites
Top gun binary opposites
 
Sense Perception
Sense PerceptionSense Perception
Sense Perception
 
The Avengers - Building up a perfect team
The Avengers - Building up a perfect teamThe Avengers - Building up a perfect team
The Avengers - Building up a perfect team
 
Alternative Facts, Fake News, Confirmation Bias & the Post-Truth World
Alternative Facts, Fake News, Confirmation Bias & the Post-Truth WorldAlternative Facts, Fake News, Confirmation Bias & the Post-Truth World
Alternative Facts, Fake News, Confirmation Bias & the Post-Truth World
 

Similar to Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work

COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesEMC
 
Mobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat LandscapeMobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat LandscapeBlackBerry
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1Clay Melugin
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJSherry Jones
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJSherry Jones
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?PECB
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetWatcher
 
Beyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security TechnologiesBeyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security TechnologiesZivaro Inc
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
 
Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014Finjan Holdings, Inc.
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaPuneet Kukreja
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 

Similar to Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work (20)

COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
 
Mobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat LandscapeMobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat Landscape
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Beyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security TechnologiesBeyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security Technologies
 
Dr K Subramanian
Dr K SubramanianDr K Subramanian
Dr K Subramanian
 
The State of Cyber
The State of CyberThe State of Cyber
The State of Cyber
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 

More from Michael Davis

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMichael Davis
 
Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT SecurityMichael Davis
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersMichael Davis
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A ServiceMichael Davis
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 

More from Michael Davis (8)

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT Security
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A Service
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Michael Davis Bio
Michael Davis BioMichael Davis Bio
Michael Davis Bio
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work

  • 1. Copyright © 2010-2011 IANS. The contents of this presentation are confidential . All rights reserved. Confirmation Bias How to Stop Doing the Things in Security That Don't Work November 2011
  • 2. 2Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Who am I? » Michael A. Davis – CEO of Savid Technologies • IT Security, Risk Assessment, Penetration Testing – Speaker • Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff » Savid Technologies – Risk Assessments, IT Security Consulting, Audit and Compliance
  • 3. 3Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Author
  • 4. 4Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Issue “Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“ Source: 2011 InformationWeek Strategic Security Survey, June 2011
  • 5. 5Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Execs Are Paying Attention 0% 5% 10% 15% 20% 25% 30% 35% 40% Exec Involvement Budget Constraints 2010 2011 Source: Information Week Data Survey, 2011
  • 6. 6Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. We Protect, They Are Criticized According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com) Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)
  • 7. 7Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. We All Do Them Source: 2011 InformationWeek Analytics Strategic Security Survey 0% 10% 20% 30% 40% 50% 60% 70% 80% Yes No Don't Know % that perform Risk Assessments 2011 2010
  • 8. 8Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Reality Source: 2011 InformationWeek Analytics Strategic Security Survey Very 30% Somewhat 67% Not At All 3% Risk Assessment Effectiveness
  • 9. 9Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Complex IT Projects Fail - A lot Out Of 200 Multi-nationals: 67% Failed To Terminate Unsuccessful Projects 61% Reported Major Conflicts 34% Of Projects Were Not Aligned With Strategy 32% Performed Redundant Work 1 In 6 Projects Had A Cost Overrun Of 200%! Source: 2011 Harvard Business Review – Berlin Univ Technical survey
  • 10. 10Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. T-Mobile CISO On Metrics “Security experts can't measure their success without security metrics, and what can't be measured can't be effectively managed.” ~ Bill Boni, VP of IS, T-Mobile USA
  • 11. 11Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Why Do We Care? Management Asks: –“Are We Secure?” Without Metrics: –“Depends How You Look At It” With Metrics: –“Look At Our Risk Score Before This Project, It Dropped 15%. We Are More Secure Today Than Yesterday”
  • 12. 12Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Metrics, We need metrics!
  • 13. 13Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Where/What to measure Strategy/Governance Code Reviews, Project Risk Assessments, Exceptions/Waivers Tactical/Sec Ops Vuln Management, Patch Management, Incidents, etc. IS Budget Spending/employee Policy gaps in existence Industry Standards Adopted Awareness Plan % projects going through assessment process # of policy exceptions # of risk acceptances % project doing code reviews Error rates Freq of vuln assessment # outstanding vulns Rate of fixing Trend of incident response losses
  • 14. 14Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Who are you? TCO Patch Latency SPAM/AV Stats
  • 15. 15Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Examples of metrics Baseline Defenses Coverage (AV, FW, etc) – Measurement of how well you are protecting your enterprise against the most basic information security threats. – 94% to 98%; less than 90% cause for concern Patch Latency – Time between a patch’s release and your successful deployment of that patch. – Express as averages and criticality Platform Security Scores – Measures your hardening guidelines Compliance – Measure departments against security standards – Number of Linux servers at least 90% compliant with the Linux platform security standard
  • 16. 16Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Phishing Still Works
  • 17. 17Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Stop With The Confirmation Bias Risk Perception Is Bad –Tornado V. Kitchen Fire –Less Familiar Are Perceived As Greater Risk Favor Info That Match Preconceptions Cause And Effect Processing Correlation Does Not Equal Causation We Manage Risk Using Metrics That Don’t Matter
  • 18. 18Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved.
  • 19. 19Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. The Formula Of Successful Risk Management PBL = λ1 x p1 + λ2 x p2 + λ3 x p3
  • 20. 20Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Hazard vs. Speculative Risk
  • 21. 21Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Linking to Business Goals Copyright Carnegie Mellon SETI MOSAIC Whitepaper
  • 22. 22Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Outcome Management Copyright Carnegie Mellon SETI MOSAIC Whitepaper
  • 23. 23Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. It Is About Risk MANAGEMENT Effective Metrics Catalog Define: Category Metric How To Measure Purpose Of This Metric Target Audience Reporting Frequency/Period
  • 24. 24Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. 5 Signs You Have a Confirmation Bias Using Quantitative Risk Scores To Make Decisions Look At Security Events Instead Of Probability Of Vulnerabilities Talk About Risk In Terms Of “Industry Data” Lack Of Risk Management Inability To Communicate Risk
  • 25. 25Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Security Metric Gotchas Not Tracking Visibility –What % is the metric representing? –Develop baseline for acceptance Not Trending –Provide at least 4 previous periods and trend line Not Providing Forward Guidance –Red, Green, Yellow (Worse, Better, Same) Not Mapping To A Business goal Focusing on Hazard Risk Not Using Qualitative Metrics
  • 26. 26Copyright © 2010-2011 IANS. The contents of this presentation are confidential and may not be distributed without IANS’ permission. All rights reserved. Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo