Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date:...

Influencing Security Decisions

Gary Gaskell(CISSP, CISM, CISA, CCSP, FACS, CP-Cyber Security (ACS), GAICD

M App Sc, B Eng, B IT)E: [email protected]

W: www.infosecservices.com.auM: 0438 603 307

With thanks to Mark Ames, CISA, CISM, CRISC

Infosec Services Pty Ltd

31 May 2019 Copyright © Infosec Services Pty Ltd 2019 1

Objectives

Successful exchange with management For you For them

Obtaining ‘buy in’ for your security plans

Use for good - please

Copyright © Infosec Services Pty Ltd 2019 231 May 2019

Agenda

The science of Judgements Decision making

Putting the science to work

Copyright © Infosec Services Pty Ltd 2019 331 May 2019

Decision Making & Judgement

Risk Assessment goal = decisions Business case = decisions

Decision theory debate Rational decision theory v’s Biased and heuristic decisions


A Word on Uncertainty

Judgements based on lack of sound information Fear of hindsight of judgements Cyber security != car insurance actuarial science Confident speakers, witnesses etc Uncertainty unsettles people

Simple v’s complicated Cognitive load Too many facts = “try hard”, lower credibility



Image: Kris Straub, www.chainsawsuit.com

Quotes from the Wise

“What you see and hear depends a good deal on where you are standing: it also depends on what sort of person you are.”

-- C. S. Lewis, The Magician’s Nephew


https://el2.convertkit-mail.com/c/qdu4qllgnh7h8vg0v/5quvh7hvd49k47/aHR0cHM6Ly9hbXpuLnRvLzJXV2JMdDI=

Identity and Cyber Decisions

Decisions from non-cyber people

The role of identity Decisions show ‘who you are’

Decision as a bet Viewpoint?

Common knowledge is not so common


Decision by proxy

Do you look or sound credible to a non-cyber person?


Persuasion Aristotle - three factors in persuasion:

intellectual (logos)• an appeal to logical reasoning• Based on analysis

psychological (pathos)• an appeal to the audience's emotion• Self interest of the listener

social or ethical (ethos). • an appeal to the speaker's character• Rank• Credibility• Do I trust them to be honest, I couldn’t tell if they were not honest

Objective evidence rarely changes minds People & decisions

• personal relevance and impact of a claim, • Trustworthy source

Alan Alda Tell a story !


Harvard Business Review 2013.

Homo Economicus

Ref - Traditional economics John Stuart Mills, Adam Smith

Versus Asset bubbles Dutch tulip mania 1600s Stock Markets 1929 Dotcom bubble 1999 Bitcoin $20 000 USD


Nobel Economics goes to . .

Psychologist Daniel Kahneman – 2002 Key work 1970s onwards Rational decisions and economics Judgements based on heuristics and cognitive

biases “Thinking, Fast and Slow”, 2011

Behavioural Economist Richard Thaler – 2017 Author of ‘Nudge’ and ‘Misbehaving’


It’s up to the Listener

Speaking to be heard Listener’s first language –

• not your tech jargon Listener’s current worries or priorities Novelty

• Repeating what they expect you to say? Safe enough to hear ? Does the speaker share my values? Bored by how – want to know why


Audience

Listeners receptive to: People like them People ‘on their side’ Reflecting on prior good decisions, actions “we have a problem to solve together”

No listening when: In defence – thinking of retort or worse Worldview or self identity under threat


Unwelcome Messages

From an insider

Easier to accept if the messenger is “here to help”


The Gruen Transfer

Most decisions are emotional then presented as rational thinking Psychology – Motived Reasoning


More Psychology

Kahneman and Tversky’s Heuristics Cognitive Biases to be aware of Circa 200 and growing Subjective reality


Heuristics

“Rules of thumb” ‘industry good practice’ ‘major change = major risk’ . . . . . . .


Cognitive Biases - Anchoring

Drawn back to the first information we heard

Tendency to favourite this information


Cognitive Biases – Availability Heuristic

“Top of Mind”

Recent incidents or risks = more likely

Rare incidents assumed to never occur

Kahneman: A reliable way to make people believe in falsehoods

is frequent repetition, because familiarity is not easily distinguished from truth


Cognitive Biases – Confirmation Bias

Look only for evidence of preferred perception

Ignore (subconsciously?) contradictory information


Cognitive Biases – Outcomes Bias

Tendency to evaluate a decision maker on the outcomes, rather the professionalism of the

decision maker and Not assess the quality of information available at

the time


Cognitive Biases – Optimism Bias

Pick any leader or executive . . .

I’m less at risk of experiencing a negative event compared to others

I’m a lucky person – always have been !!

I make my own luck (que Clint Eastwood)


Cognitive Biases – Conservatism or “regressive Bias”

high values and high likelihoods overestimated

low values and low likelihoods are underestimated


Other Biases ?

Conflict of Interest?

Fear of disadvantage of the “in group”, etc

Hindsight bias Past incident were more predicable than they really

were at the time Witness fallibility Six weeks – new Scotland Yard Rumination alters memories


Cognitive Biases – Ambiguity

Tendency to avoid decisions where there is a lot of ambiguity or uncertainty, ambiguity regards outcomes

Tendency to avoid irreversible decisions


Cognitive Biases:

Automation Bias Favour automated decisions or solutions

Bandwagon effect Group think or herding behaviours

Dunning-Kruger Effect The tendency for unskilled individuals to overestimate their own ability and the

tendency for experts to underestimate their own ability

Expectation Bias Tendency to focus on your expectations rather than being agnostic to all sound

solutions Risk for network engineers in CISO roles

Ref: Ramos, 2017. eBook: Analyzing the role of cognitive biases in the decision making process.


Cognitive Biases Galore

Gambler’s fallacy Future events depend on past events

Law of the Instrument Nails everywhere - a carpenter with a hammer

Loss aversion – Endowment Effect Sunk cost fallacy

Planning fallacy Under estimate effort – see optimism bias


Even more Biases Zero risk bias preference for reducing a small risk to zero V’s a greater reduction in a larger risk

Zero sum bias Assuming it is a win-lose decision

Authority Bias Attribute more weight to a perceived authority figure

than to a more junior expert Repetition Bias More weight if heard from multiple sources E.g. vendors and “threat intelligence”


Wikipedia.org

Backfire Effect

Reaction to “alternative facts” TM reinforces a belief system

Facts don’t change minds quantity and tipping point “information deficit model” Don’t speak for themselves


31 May 2019 33

Extra Notes

Recruitment – hire people That you like Low risk they will embarrass you

• Good skills• Same ‘in group’


Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date:...

Documents

Transcript of Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date:...