Sunday, June 3, 2007

Security experts are people and people are bad at evaluating risk

This is another great essay from Bruce in Wired magazine about how people miscalculate risks.  This subject really fascinates me, which is at the heart of many superstitions and beliefs that people can't seem to shake, even though they use their iPods and HDTVs and seem to believe in science as a way to knowledge of the world.
Schneier on Security: Rare Risk and Overreactions
Novelty plus dread equals overreaction.
And, on a related note, Ian Grigg discusses how us security people are just as bad at calculating risks and dealing with relative risks -- in general.  There comes a time in your security career when you have to realize that the goal is never to _eliminate_ risk.  A good security person knows how to evaluate risks (read:  threat model) and to come up with viable solutions to move forward and _reduce risk to a manageable level_.  This is especially true in the business world.  Being in business is risky and comes about by people at all levels taking risks.  Security risks are just one class of risks that a company needs to weigh as part of the economic equation.  If you can get to the level of a solution provider, you will find it more rewarding than trying to play adversarial whack-a-mole with business people and every little potential risk that comes up.  Vulnerabilities != risk, necessarily.  Repeat that until it sinks in.

Although I don't believe the answer involves trying to come up with crazy ways to "quantify" risk.  That has been a holy grail and likely will continue to be.  The more I read about quantum mechanics though, the more I'm seeing a potential for a probabilistic model for security.  However, the lack of quality data about incidents to base statistics on still leaves such a huge margin of error that getting any model to be more precise than the typical Low - Medium - High - Critical scale is a stretch.

Financial Cryptography: The Myth of the Superuser, and other frauds by the security community
...experts in the field of computer crime and computer security are seemingly uninterested in probabilities. Computer experts rarely assess a risk of online harm as anything but, “significant,” and they almost never compare different categories of harm for relative risk.

No comments:

Post a Comment