Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date:...
Transcript of Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date:...
Influencing Security Decisions
Gary Gaskell(CISSP, CISM, CISA, CCSP, FACS, CP-Cyber Security (ACS), GAICD
M App Sc, B Eng, B IT)E: [email protected]
W: www.infosecservices.com.auM: 0438 603 307
With thanks to Mark Ames, CISA, CISM, CRISC
Infosec Services Pty Ltd
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 1
Objectives
Successful exchange with management For you For them
Obtaining ‘buy in’ for your security plans
Use for good - please
Copyright © Infosec Services Pty Ltd 2019 231 May 2019
Agenda
The science of Judgements Decision making
Putting the science to work
Copyright © Infosec Services Pty Ltd 2019 331 May 2019
Decision Making & Judgement
Risk Assessment goal = decisions Business case = decisions
Decision theory debate Rational decision theory v’s Biased and heuristic decisions
29 May 2019 Copyright © Infosec Services Pty Ltd 2019 4
A Word on Uncertainty
Judgements based on lack of sound information Fear of hindsight of judgements Cyber security != car insurance actuarial science Confident speakers, witnesses etc Uncertainty unsettles people
Simple v’s complicated Cognitive load Too many facts = “try hard”, lower credibility
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 5
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 6
Image: Kris Straub, www.chainsawsuit.com
Quotes from the Wise
“What you see and hear depends a good deal on where you are standing: it also depends on what sort of person you are.”
-- C. S. Lewis, The Magician’s Nephew
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 7
Identity and Cyber Decisions
Decisions from non-cyber people
The role of identity Decisions show ‘who you are’
Decision as a bet Viewpoint?
Common knowledge is not so common
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 8
Decision by proxy
Do you look or sound credible to a non-cyber person?
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 9
Persuasion Aristotle - three factors in persuasion:
intellectual (logos)• an appeal to logical reasoning• Based on analysis
psychological (pathos)• an appeal to the audience's emotion• Self interest of the listener
social or ethical (ethos). • an appeal to the speaker's character• Rank• Credibility• Do I trust them to be honest, I couldn’t tell if they were not honest
Objective evidence rarely changes minds People & decisions
• personal relevance and impact of a claim, • Trustworthy source
Alan Alda Tell a story !
29 May 2019 Copyright © Infosec Services Pty Ltd 2019 10
Harvard Business Review 2013.
Homo Economicus
Ref - Traditional economics John Stuart Mills, Adam Smith
Versus Asset bubbles Dutch tulip mania 1600s Stock Markets 1929 Dotcom bubble 1999 Bitcoin $20 000 USD
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 11
Nobel Economics goes to . .
Psychologist Daniel Kahneman – 2002 Key work 1970s onwards Rational decisions and economics Judgements based on heuristics and cognitive
biases “Thinking, Fast and Slow”, 2011
Behavioural Economist Richard Thaler – 2017 Author of ‘Nudge’ and ‘Misbehaving’
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 12
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 13
It’s up to the Listener
Speaking to be heard Listener’s first language –
• not your tech jargon Listener’s current worries or priorities Novelty
• Repeating what they expect you to say? Safe enough to hear ? Does the speaker share my values? Bored by how – want to know why
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 14
Audience
Listeners receptive to: People like them People ‘on their side’ Reflecting on prior good decisions, actions “we have a problem to solve together”
No listening when: In defence – thinking of retort or worse Worldview or self identity under threat
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 15
Unwelcome Messages
From an insider
Easier to accept if the messenger is “here to help”
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 16
The Gruen Transfer
Most decisions are emotional then presented as rational thinking Psychology – Motived Reasoning
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 17
More Psychology
Kahneman and Tversky’s Heuristics Cognitive Biases to be aware of Circa 200 and growing Subjective reality
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 18
Heuristics
“Rules of thumb” ‘industry good practice’ ‘major change = major risk’ . . . . . . .
29 May 2019 Copyright © Infosec Services Pty Ltd 2019 19
Cognitive Biases - Anchoring
Drawn back to the first information we heard
Tendency to favourite this information
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 20
Cognitive Biases – Availability Heuristic
“Top of Mind”
Recent incidents or risks = more likely
Rare incidents assumed to never occur
Kahneman: A reliable way to make people believe in falsehoods
is frequent repetition, because familiarity is not easily distinguished from truth
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 21
Cognitive Biases – Confirmation Bias
Look only for evidence of preferred perception
Ignore (subconsciously?) contradictory information
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 22
Cognitive Biases – Outcomes Bias
Tendency to evaluate a decision maker on the outcomes, rather the professionalism of the
decision maker and Not assess the quality of information available at
the time
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 23
Cognitive Biases – Optimism Bias
Pick any leader or executive . . .
I’m less at risk of experiencing a negative event compared to others
I’m a lucky person – always have been !!
I make my own luck (que Clint Eastwood)
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 24
Cognitive Biases – Conservatism or “regressive Bias”
high values and high likelihoods overestimated
low values and low likelihoods are underestimated
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 25
Other Biases ?
Conflict of Interest?
Fear of disadvantage of the “in group”, etc
Hindsight bias Past incident were more predicable than they really
were at the time Witness fallibility Six weeks – new Scotland Yard Rumination alters memories
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 26
Cognitive Biases – Ambiguity
Tendency to avoid decisions where there is a lot of ambiguity or uncertainty, ambiguity regards outcomes
Tendency to avoid irreversible decisions
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 27
Cognitive Biases:
Automation Bias Favour automated decisions or solutions
Bandwagon effect Group think or herding behaviours
Dunning-Kruger Effect The tendency for unskilled individuals to overestimate their own ability and the
tendency for experts to underestimate their own ability
Expectation Bias Tendency to focus on your expectations rather than being agnostic to all sound
solutions Risk for network engineers in CISO roles
Ref: Ramos, 2017. eBook: Analyzing the role of cognitive biases in the decision making process.
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 28
Cognitive Biases Galore
Gambler’s fallacy Future events depend on past events
Law of the Instrument Nails everywhere - a carpenter with a hammer
Loss aversion – Endowment Effect Sunk cost fallacy
Planning fallacy Under estimate effort – see optimism bias
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 29
Even more Biases Zero risk bias preference for reducing a small risk to zero V’s a greater reduction in a larger risk
Zero sum bias Assuming it is a win-lose decision
Authority Bias Attribute more weight to a perceived authority figure
than to a more junior expert Repetition Bias More weight if heard from multiple sources E.g. vendors and “threat intelligence”
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 30
Wikipedia.org
Backfire Effect
Reaction to “alternative facts” TM reinforces a belief system
Facts don’t change minds quantity and tipping point “information deficit model” Don’t speak for themselves
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 31
31 May 2019 33
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 34
Extra Notes
Recruitment – hire people That you like Low risk they will embarrass you
• Good skills• Same ‘in group’
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 35