how near-miss bias affects risk-based decisions

HOW NEAR-MISS BIAS AFFECTS RISK-BASED DECISIONS

JORDAN SCHROEDER, CISSP, CISM

INTRO

WHO AM I

▸ Member of the GRC team at Visier, Inc

▸ Moderator of Security StackExchange

▸ Former teacher, actor, singer, director, Coast Guard Officer, undertaker, database designer, tax preparer, business owner, day trader

▸ http://www.linkedin.com/in/schroederjordan

▸ http://security.stackexchange.com/users/6253/schroeder

▸ https://gophishyourself.wordpress.com

http://www.linkedin.com/in/schroederjordan

http://security.stackexchange.com/users/6253/schroeder

https://gophishyourself.wordpress.com

INTRO

RISK IS NOT ENOUGH

▸ You’ve done your calculations

▸ You’ve drafted a clear report

▸ Your research shows that a Threat is not going away

▸ You present your report expertly to decision makers

▸ They make the wrong decision …

▸ Why??

INTRO

RISK IS NOT ENOUGH

▸ Data alone does not result in appropriate action

▸ Data is interpreted by the audience through a number of filters

▸ Those filters determine the resulting action

▸ “Near-Miss Bias” is a unique filter that requires specific handling

INTRO

THIS PRESENTATION IS A SUMMARY OF:

2008

How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Robin L. Dillon

Catherine H. Tinsley

McDonough School of Business, Georgetown University, Washington, D.C. 20057

INTRO

THIS PRESENTATION IS A SUMMARY OF:

2012

How Near-Miss Events Amplify or Attenuate Risky Decision Making Robin Dillon-Merrill

Catherine H. Tinsley

Mathew A. Cronin

McDonough School of Business, Georgetown University, Washington, D.C. 20057

WHAT IS IT?

WHAT IS IT?

COLUMBIA SHUTTLE DISASTER 2003

WHAT IS IT?


▸ Shedding of tank foam during ascent happened frequently

▸ Caused by debris hitting the tanks

▸ “With each successful landing, it appears that NASA engineers and managers increasingly regarded the foam-shedding as inevitable, and as either unlikely to jeopardize safety or simply an acceptable risk.”

▸ (Columbia Accident Investigation Board Report, Volume 1, 2003, p. 122)

Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance

WHAT IS IT?


▸ Probabilistic analysis performed in 1990 determined that debris strikes could be catastrophic

▸ Foam loss occurred on 10% of flights

▸ Damage to foam every flight, with an average of 143 divots per flight

▸ How could this ‘obvious’ problem be overlooked?


WHAT IS IT?

NASA EXPERIMENT

▸ Information Management Business students (with training in stats and probabilities) put through a simulation where they have to navigate the Mars Rover from one crater to another

▸ Each simulated day, given a weather report, the participant needed to decide to stay or move on given the weather’s chance of causing a wheel failure


WHAT IS IT?

NASA EXPERIMENT

▸ Those who ‘survived’ the risky choices were more prone to making riskier decisions for the next day

▸ Even when presented with the probabilities afresh each day, participants still incorporated the previous successes into their decisions, even if they did not make as many risky decisions

▸ When given the choice of knowing Near-Miss data or other data, participants were less likely to seek other data


WHAT IS IT?

NEAR-MISS

▸ People tend see events as linked and not independent

▸ “hot streaks”

▸ People with Near-Miss information tend to skew towards riskier decisions


WHAT IS IT?

NEAR-MISS

▸ People do not ignore the other data

▸ People use the data from the Near-Miss events as a source of optimism

▸ More Near-Miss data exacerbates the problem


WHAT IS IT?

NEAR-MISS SPECULATION: BAYES

▸ Near-Miss data incorporated with statistical data

▸ Like an inherent Bayesian analysis

▸ “My successes were because the probabilities were general and not applicable to my specific situation. My probabilities are different.”

▸ (Stats) x (Near-Miss adjustment)

▸ version of the Gambler’s Fallacy


WHAT IS IT?

INFOSEC NEAR-MISSES

▸ Viruses caught on endpoints

▸ Brute-force attempts

▸ “Background radiation”

▸ Phishing domains

▸ Vishing calls

WHAT IS IT?

INFOSEC NEAR-MISSES

▸ “We have never had a breach”

▸ that we know about …

▸ “All these alerts are just noise”

▸ Incident Response teams are absorbing a lot of budget in hunting down all these false positives

▸ “They are just script-kiddies who don’t know what they are doing”

▸ There is no real threat

MISS - COMMUNICATING


NEAR-MISS COULD BE INTERPRETED TWO WAYS

▸ Disasters that did not occur

▸ Resilient Risks

▸ “Yay! I didn’t die!”

▸ Disasters that almost happened

▸ Vulnerable Risks

▸ “OMG! I almost died!”

Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.


RESILIENT RISKS

▸ Results in riskier behaviours

▸ Reduction in mitigating behaviours

▸ Explicit Likelihood calculations do not change

▸ merely quietly ‘enhanced’ with a Bayesian factor when there is a call to action



THE HIDDEN CALCULATION

▸ You present your risks

▸ You present your calculations

▸ Your audience agrees with it all

▸ Your audience quietly applies their own Bayesian Near-Miss factor

▸ Your audience then decides

▸ budget, personnel, InfoSec projects, etc.Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.


PRESENT VULNERABLE RISKS

▸ If Near-Miss information was communicated as Vulnerable Risks, (“we almost died!”):

▸ and if the audience accepts that framing

▸ the effects of Resilient Risks are countered

▸ more mitigating behaviours are used



VULNERABLE CHALLENGES

▸ The audience might not accept your framing

▸ becomes a messaging issue

▸ Creates a tone of negativity (less fun, less value)

▸ The mitigations become devalued!

▸ The messenger becomes devalued!



COMMUNICATING RISK

▸ Focus on the Probabilities

▸ Frame past events as independent and not a chain

▸ Focus on the potential impact

▸ Frame Near-Misses as Vulnerable Risks



COMMUNICATING RISK - JORDAN

▸ Focus on Procedural Resiliency

▸ Combat Vulnerable Risk negativity by celebrating the resiliency of the Risk process

▸ “Yay! We are surviving because we are using the right mitigations!”

▸ Make insurance sexy


COMMUNICATING RISK - JORDAN

▸ Our detective controls are working!

▸ IR teams have confirmed that our users, our data, and our systems have not been compromised

▸ Our defences are effective against script-kiddies

▸ What are they not effective against?

NEAR-MISS AS RISK ASSESSMENT

MISS - ASSESSMENT

CHEAP DISASTERS

▸ Treating Near-Misses as Resilient Risks means that one might ignore them

▸ Instead, treat them as Actualized Risks for purposes of Risk Assessment

▸ Disasters that don’t cost the organization anything


MISS - ASSESSMENT

CHEAP TRICKS

▸ Often the same pre-conditions as a real disaster

▸ Easy way to identify hazardous conditions

▸ Encourage and reward the reporting of Near-Misses

▸ Helps to encourage an organizational culture of safety


MISS - ASSESSMENT

EXAMPLE IN INFOSEC

▸ A/V alerts that it caught a virus in an email attachment

▸ not executed, no actualized risk

▸ Every once in a while, treat it as though it was an actual infection

▸ Run the Incident Response process

▸ great training for new members

▸ Identify all vulnerable areas that were involved

MISS - ASSESSMENT

EXAMPLE IN INFOSEC

▸ Recalibrate the Risk Assessments of that area

▸ Mitigate vulnerable areas

▸ Trains everyone involved

▸ Streamlines the processes

▸ Encourages a culture of safety

▸ Old-fashioned fire drill but with a real threat

SUMMARY

SUMMARY

NEAR-MISS

▸ Past events seen as linked

▸ Near-Misses used to adjust probabilities

▸ Near-Miss data preferred over other data

▸ Used to justify riskier behaviours

SUMMARY

COMMUNICATING NEAR-MISS

▸ Focus on Probabilities

▸ De-link events

▸ Focus on potential harm

▸ Shift to Vulnerable Risks

▸ Focus on Procedural Resiliencies

▸ Combat negativity

SUMMARY

NEAR-MISS ASSESSMENTS

▸ Treat Near-Misses as opportunities

▸ Cheap Disasters

▸ Fire Drills

▸ Identify Vulnerable areas

▸ Communicate the importance of reporting Near-Misses

▸ Encourage a culture of safety

THANK YOU &HAPPY RISKING!

how near-miss bias affects risk-based decisions

Technology