cognitive injection: herding lizards for fun, profit, and ... · andy ellis chief security officer...
TRANSCRIPT
Andy Ellis Chief Security Officer @csoandy
Cognitive Injection: Herding Lizards for Fun, Profit, and Safety
Why Do People Make “Bad” Decisions?
@csoandy
Stupid
Incomprehensible
Business Owner Security
Modal bias!
A typical business risk conversation
@csoandy
Business Owner Here is my project. Is it safe?
Security Here’s our ISO 27002
checklist of every mistake anyone’s ever
made. Prove you haven’t. That’s really long. Can you fill it out for me?
Really? Is that a showstopper?
Sure. You have a bunch of esoteric risk here.
If I say yes, you’re going to override me, aren’t you?
And if I say no, I’m in trouble if this goes wrong...
Security Poverty Line
@csoandy
This is a dangerous way to operate!
Security Subsistence Syndrome
“I can’t even do the barest minimum to
cover my ass, so I’d better not do
anything but cover my ass.”
Organizations that don’t have enough resources to implement perceived basic security needs.
Accruing Technical
Debt With every step
forward, the undone work increases risk and makes future
steps harder.
Historical paranoia
@csoandy
“Monkey on rope ladder” © CC-BY-SA 2010 Rachel Coleman Finch
The economics of the Prisoner’s Dilemma
@csoandy
Cooperate Cheat
Coop
erate
Cheat
-‐3
-‐10
-‐1
-‐5
-‐3
-‐1
-‐10
-‐5
13% of the *me!
40% of the *me!
Adding value: “measuring” a security program
@csoandy
Security value balances perceived riskTolerance of perceived risk drives to a stable equilibrium
@csoandy
P E
R C
E I
V E
D R
I S
K
S E
C U
R I
T Y
V A
L U
E
How much security is “good enough”?
@csoandy
Enough to convince a serious auditor
Sufficient against the casual adversary
Enough to fool the standard auditor
“Good” security
Where a good assessor can help you
What you need to fend off a persistent adversary
“Perfect” securityS
E C
U R
I T
Y V
A L
U E
What your organization thinks it can get away with
How much security is “good enough”?
@csoandy
What your organization thinks it can get away with
Enough to fool the standard auditor
Enough to convince a serious auditor
Sufficient against the casual adversary
“Good” security
Where a good assessor can help you
What you need to fend off a persistent adversary
“Perfect” securityS
E C
U R
I T
Y V
A L
U E
Peltzman Effect
@csoandy
What your
Organizations don’t think: People do.
organization thinksorganization thinks it can get away with
Thinking, Fast and Slow
Or do they?
@csoandy
System 1: The Fast Lizard-Brain
@csoandy
System 1: The bigot
@csoandy
System 1 vs System 2
@csoandy
LEFTRIGHTLEFTRIGHTLEFTRIGHT
LEFTRIGHT
System 1 vs System 2
@csoandy
LEFTLEFT LEFT
RIGHTRIGHTLEFTRIGHT
RIGHT
System 1 in action
@csoandy
Annual Security Awareness Training is required by all employees to ensure your compliance with the security policies of the company while conducHng your daily tasks in furtherance of our goals to protect company data, systems, and informaHon against malfeasance, adversarial acHon, and other systemic failures that might be introduced by an inaLenHon to appropriate risk management acHviHes or non-‐compliance with industry standard best pracHces as laid out in various control frameworks such as ISO 27002, PCI, HIPAA, SOX, SSAE-‐16, NIST 800-‐53, FedRAMP…
It’s not a ROSI scenario
@csoandy
Loss: $5MProbability: 10%/yr
ALE: $500,000
$50K$14K maintenance
Cost:$26K/yr
10% reducHon in events
Savings:$50K/yr
$5B.01% N/day!
What do organizations consider risk?
@csoandy
people
lizards
Business Owner Is my P/L good? Will I gain market share?
CEO Is this profitable?
Sales Can I meet my
quota with this?
CFO Is this a good allocation of resources?
Employees Will I have a job?
Security Is this safe?
Set-point theory of risk tolerance
@csoandy
P E
R C
E I
V E
D R
I S
K
S E
C U
R I
T Y
V A
L U
E
Perceived risk tolerance seeks a stable equilibrium!
Unmitigated Risk Psychosis
@csoandy
P E
R C
E I
V E
D R
I S
K
S E
C U
R I
T Y
V A
L U
E
A C
T U
A L
R I
S K
*
Attempts to leave residual risk may result in new risk budgets!*not actually actual risk
Training Lizards
@csoandy
P E
R C
E I
V E
D R
I S
K
S E
C U
R I
T Y
V A
L U
E
A C
T U
A L
R I
S K
Risk management is like muscle memory.
Perceived Risk vs. Actual Risk
@csoandy
threat ignorance
known vulnerability
“FUD”
stealth improvements
risk reduction
security theater
blind compliance
awarenessP
E R
C E
I V
E D
A C T U A L
Actual Prisoners in a Dilemma
@csoandy
Cooperate Cheat
Coop
erate
Cheat
-‐3
-‐10
-‐1
-‐5
-‐3
-‐1
-‐10
-‐5
30% of the *me!
19% of the *me!
Where is your residual risk?
@csoandy
Business Owner Competitors are gaining.
Have to move faster!
CEO Products A & B are high risk. C should be safer.
Sales That last product didn’t sell.
I’ll sell something else.
CFO You came in over budget. Are your numbers accurate?
Employees This business is unprofitable.
Update my resume!
Security Here’s our ISO 27002 checklist of every mistake anyone’s ever made. Prove you haven’t.
A better business risk conversation
@csoandy
Business Owner Here is my project. Is it safe?
Security I don’t know. Is it?
Wait, what?
Ummm....
Here’s how to think about safety. Do you think your product is
safe?
Great, glad to hear it. Can you fix those
outliers in your next release?
Here’s my assessment of my risk. I think this is reasonably safe.
How do you get better?
@csoandy
Takeaway: Improve security value
!
!
Andy Ellis [email protected] @csoandy http://www.csoandy.com/
@csoandy
Goal of any security program: dv/dt > 0
Below the Security Poverty Line, we see Security Subsistence Syndrome: relying on resources, not capabilities. Goal: dr/dt > 0
A good security program wants to create surplus. Goal: dc/dt > 0
Questions, Answers, and Pontifications
!
!
Andy Ellis [email protected]
@csoandy http://www.csoandy.com/
@csoandy