Yesterday I finished up a presentation for the Secure360 Conference: “Putting the Fun in Dysfunctional – How the Security Industry Works, and Why It’s Your Fault”. This is a combination of a bunch of things I’ve been thinking about for a while, mostly focused on cognitive science and economics. Essentially, security makes a heck of a lot more sense once you start trying to understand why people make the decisions they do, which is a combination of their own internal workings and external forces. Since it’s very hard to change how people think (in terms of process, not opinion), the best way to induce change is to modify the forces that drive their decision making.
I have a section in the presentation on cognitive bias, which is our tendency to make errors in judgement due to how our brains work. It’s pretty fascinating stuff, and essential knowledge for anyone who wants to improve their critical thinking. Here are some examples relevant to the practice of security (from Wikipedia):
- Framing by using a too-narrow approach and description of the situation or issue.
- Hindsight bias, sometimes called the “I-knew-it-all-along” effect, is the inclination to see past events as being predictable.
- Confirmation bias is the tendency to search for or interpret information in a way that confirms one’s preconceptions – this is related to cognitive dissonance.
- Self-serving bias is the tendency to claim more responsibility for successes than failures. It may also manifest itself as a tendency for people to evaluate ambiguous information in a way beneficial to their interests.
- Bandwagon effect: the tendency to do (or believe) things because many other people do (or believe) the same. Related to groupthink, herd behavior, and mania.
- Base rate fallacy: ignoring available statistical data in favor of particulars.
- Focusing effect: prediction bias which occurs when people place too much importance on one aspect of an event – this causes errors when attempting to predict the utility of a future outcome.
- Loss aversion: “the disutility of giving up an object is greater than the utility associated with acquiring it”.
- Outcome bias: the tendency to judge a decision based its eventual outcome, rather than by the information available when it was made.
- Post-purchase rationalization: the tendency to persuade oneself that a purchase was a good value.
- Status quo bias: our preference for to stay the same (see also loss aversion and endowment effect).
- Zero-risk bias: preference for reducing a small risk to zero, over a greater reduction in a larger risk.
Cognitive bias also has interesting ties to logical fallacies, another essential area for any good security pro or skeptic.
Not that understanding psychology and economics solves all our problems, but they sure help reduce the frustration. And applied to ourselves, understanding can really improve our ability to analyze information and make decisions. Cool stuff.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Rich: Thoughts on Data Breach History. I sort of have a thing for history… when you look at the big picture, sometimes things become obvious.
- Adrian Lane: You Should Ignore the NetworkWorld DLP Review. Nice.
- David Mortman: Firestarter: For Secure Code, Process Is a Placebo; It’s All about Peer Pressure!
Other Securosis Posts
- Help Build the Mother of All Data Security Surveys.
- Download Our Kick-Ass Database Encryption and Tokenization Paper.
- Database Security Fundamentals: Encryption.
- Understanding and Selecting SIEM/LM: Use Cases, Part 2.
- Optimism and Cautions on OpenDLP.
- Understanding and Selecting SIEM/LM: Use Cases, Part 1.
Favorite Outside Posts
- Rich: 2010 DBIR to include cases from U.S. Secret Service This is simply awesome! The Secret Service is analyzing all their cases from the past couple years using Verizon’s framework. This is a gold mine for those of us who care about real world security (disclosure – I’m on the board of the VERIS project for Verizon, but I am not compensated in any way).
- Adrian Lane: What Egress Filters Should I Use? Branden Williams offers a pragmatic discussion of egress filtering.
Project Quant Posts
Research Reports and Presentations
- Understanding and Selecting a Database Encryption or Tokenization Solution.
- Low Hanging Fruit: Quick Wins with Data Loss Prevention.
Top News and Posts
- Vuln Disclosure is Rude.
- Open letter to Facebook on privacy (Noticing a trend this week?).
- OMB issues new rules on IT security.
- Penetration Testing in the Real World.
- How Assumptions May Be Making Us All Less Secure. (Almost made my favorite of the week).
- Six Things You Need to Know About Facebook Connections.
- Didier Stevens on PDF Hacking and Security.
- Facebook disables chat after security hole discovered.
- DNSSEC on all root servers.
- Turning Stolen Credit Cards to Cash. Making dreams come true. God, I love online payment scams!
- The Cisco Secure Development Lifecycle: An Overview. I did not expect to see a secure development cycle coming from Cisco. Review to come.
- Regular expression sandboxing. An interesting discussion, albeit a little more technical, on the use of regex to parse / match JavaScript.
- Rethinking the Cyber Threat – A Microsoft paper.
- Feds Thwart Alleged ATM Hacking Spree. Cash machine reprogramming. More creative than skimming.
- Opera Plugs ‘Extremely Severe’ Security Hole.
- Encryption Can’t Stop The Wiretapping Boom.
- Former Ars Technica Forum Host Compromised.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Betsy Nichols, in response to Thoughts on Data Breach History.
Very interesting presentation. The OSF is doing amazing work in two areas: data breaches and vulnerabilities. It is amazing what they have accomplished with a volunteer community. They are definitely a worthwhile cause that merits broad support from all of us who benefit from their work.
You and other interested folks in the Securosis community may be interested in some of the quantitative analysis I have done using the OSF DataLossDB. You can see it at www.metricscenter.net. (No login necessary.) Just go to the Dashboards area of the site. I have posted two that are based on the DataLossDB.
The first dashboard is titled Public Data Breaches which is solely based on the DataLossDB and presents some basic stats.
The second dashboard is titled Stock Price Impact. This looks at mashing up data from the DataLossDB with Google Finance data to get insight on the question “What is the impact of a breach on a public company’s stock price”.
Comments