Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date:...
Transcript of Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date:...
![Page 1: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/1.jpg)
Influencing Security Decisions
Gary Gaskell(CISSP, CISM, CISA, CCSP, FACS, CP-Cyber Security (ACS), GAICD
M App Sc, B Eng, B IT)E: [email protected]
W: www.infosecservices.com.auM: 0438 603 307
With thanks to Mark Ames, CISA, CISM, CRISC
Infosec Services Pty Ltd
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 1
![Page 2: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/2.jpg)
Objectives
Successful exchange with management For you For them
Obtaining ‘buy in’ for your security plans
Use for good - please
Copyright © Infosec Services Pty Ltd 2019 231 May 2019
![Page 3: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/3.jpg)
Agenda
The science of Judgements Decision making
Putting the science to work
Copyright © Infosec Services Pty Ltd 2019 331 May 2019
![Page 4: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/4.jpg)
Decision Making & Judgement
Risk Assessment goal = decisions Business case = decisions
Decision theory debate Rational decision theory v’s Biased and heuristic decisions
29 May 2019 Copyright © Infosec Services Pty Ltd 2019 4
![Page 5: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/5.jpg)
A Word on Uncertainty
Judgements based on lack of sound information Fear of hindsight of judgements Cyber security != car insurance actuarial science Confident speakers, witnesses etc Uncertainty unsettles people
Simple v’s complicated Cognitive load Too many facts = “try hard”, lower credibility
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 5
![Page 6: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/6.jpg)
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 6
Image: Kris Straub, www.chainsawsuit.com
![Page 7: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/7.jpg)
Quotes from the Wise
“What you see and hear depends a good deal on where you are standing: it also depends on what sort of person you are.”
-- C. S. Lewis, The Magician’s Nephew
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 7
![Page 8: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/8.jpg)
Identity and Cyber Decisions
Decisions from non-cyber people
The role of identity Decisions show ‘who you are’
Decision as a bet Viewpoint?
Common knowledge is not so common
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 8
![Page 9: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/9.jpg)
Decision by proxy
Do you look or sound credible to a non-cyber person?
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 9
![Page 10: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/10.jpg)
Persuasion Aristotle - three factors in persuasion:
intellectual (logos)• an appeal to logical reasoning• Based on analysis
psychological (pathos)• an appeal to the audience's emotion• Self interest of the listener
social or ethical (ethos). • an appeal to the speaker's character• Rank• Credibility• Do I trust them to be honest, I couldn’t tell if they were not honest
Objective evidence rarely changes minds People & decisions
• personal relevance and impact of a claim, • Trustworthy source
Alan Alda Tell a story !
29 May 2019 Copyright © Infosec Services Pty Ltd 2019 10
Harvard Business Review 2013.
![Page 11: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/11.jpg)
Homo Economicus
Ref - Traditional economics John Stuart Mills, Adam Smith
Versus Asset bubbles Dutch tulip mania 1600s Stock Markets 1929 Dotcom bubble 1999 Bitcoin $20 000 USD
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 11
![Page 12: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/12.jpg)
Nobel Economics goes to . .
Psychologist Daniel Kahneman – 2002 Key work 1970s onwards Rational decisions and economics Judgements based on heuristics and cognitive
biases “Thinking, Fast and Slow”, 2011
Behavioural Economist Richard Thaler – 2017 Author of ‘Nudge’ and ‘Misbehaving’
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 12
![Page 13: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/13.jpg)
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 13
![Page 14: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/14.jpg)
It’s up to the Listener
Speaking to be heard Listener’s first language –
• not your tech jargon Listener’s current worries or priorities Novelty
• Repeating what they expect you to say? Safe enough to hear ? Does the speaker share my values? Bored by how – want to know why
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 14
![Page 15: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/15.jpg)
Audience
Listeners receptive to: People like them People ‘on their side’ Reflecting on prior good decisions, actions “we have a problem to solve together”
No listening when: In defence – thinking of retort or worse Worldview or self identity under threat
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 15
![Page 16: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/16.jpg)
Unwelcome Messages
From an insider
Easier to accept if the messenger is “here to help”
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 16
![Page 17: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/17.jpg)
The Gruen Transfer
Most decisions are emotional then presented as rational thinking Psychology – Motived Reasoning
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 17
![Page 18: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/18.jpg)
More Psychology
Kahneman and Tversky’s Heuristics Cognitive Biases to be aware of Circa 200 and growing Subjective reality
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 18
![Page 19: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/19.jpg)
Heuristics
“Rules of thumb” ‘industry good practice’ ‘major change = major risk’ . . . . . . .
29 May 2019 Copyright © Infosec Services Pty Ltd 2019 19
![Page 20: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/20.jpg)
Cognitive Biases - Anchoring
Drawn back to the first information we heard
Tendency to favourite this information
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 20
![Page 21: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/21.jpg)
Cognitive Biases – Availability Heuristic
“Top of Mind”
Recent incidents or risks = more likely
Rare incidents assumed to never occur
Kahneman: A reliable way to make people believe in falsehoods
is frequent repetition, because familiarity is not easily distinguished from truth
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 21
![Page 22: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/22.jpg)
Cognitive Biases – Confirmation Bias
Look only for evidence of preferred perception
Ignore (subconsciously?) contradictory information
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 22
![Page 23: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/23.jpg)
Cognitive Biases – Outcomes Bias
Tendency to evaluate a decision maker on the outcomes, rather the professionalism of the
decision maker and Not assess the quality of information available at
the time
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 23
![Page 24: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/24.jpg)
Cognitive Biases – Optimism Bias
Pick any leader or executive . . .
I’m less at risk of experiencing a negative event compared to others
I’m a lucky person – always have been !!
I make my own luck (que Clint Eastwood)
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 24
![Page 25: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/25.jpg)
Cognitive Biases – Conservatism or “regressive Bias”
high values and high likelihoods overestimated
low values and low likelihoods are underestimated
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 25
![Page 26: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/26.jpg)
Other Biases ?
Conflict of Interest?
Fear of disadvantage of the “in group”, etc
Hindsight bias Past incident were more predicable than they really
were at the time Witness fallibility Six weeks – new Scotland Yard Rumination alters memories
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 26
![Page 27: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/27.jpg)
Cognitive Biases – Ambiguity
Tendency to avoid decisions where there is a lot of ambiguity or uncertainty, ambiguity regards outcomes
Tendency to avoid irreversible decisions
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 27
![Page 28: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/28.jpg)
Cognitive Biases:
Automation Bias Favour automated decisions or solutions
Bandwagon effect Group think or herding behaviours
Dunning-Kruger Effect The tendency for unskilled individuals to overestimate their own ability and the
tendency for experts to underestimate their own ability
Expectation Bias Tendency to focus on your expectations rather than being agnostic to all sound
solutions Risk for network engineers in CISO roles
Ref: Ramos, 2017. eBook: Analyzing the role of cognitive biases in the decision making process.
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 28
![Page 29: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/29.jpg)
Cognitive Biases Galore
Gambler’s fallacy Future events depend on past events
Law of the Instrument Nails everywhere - a carpenter with a hammer
Loss aversion – Endowment Effect Sunk cost fallacy
Planning fallacy Under estimate effort – see optimism bias
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 29
![Page 30: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/30.jpg)
Even more Biases Zero risk bias preference for reducing a small risk to zero V’s a greater reduction in a larger risk
Zero sum bias Assuming it is a win-lose decision
Authority Bias Attribute more weight to a perceived authority figure
than to a more junior expert Repetition Bias More weight if heard from multiple sources E.g. vendors and “threat intelligence”
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 30
Wikipedia.org
![Page 31: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/31.jpg)
Backfire Effect
Reaction to “alternative facts” TM reinforces a belief system
Facts don’t change minds quantity and tipping point “information deficit model” Don’t speak for themselves
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 31
![Page 32: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/32.jpg)
31 May 2019 33
![Page 33: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/33.jpg)
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 34
![Page 34: Influencing Security Decisions · Title: Advanced Security Options Author: Mark Ames Created Date: 6/5/2019 12:21:15 PM](https://reader034.fdocuments.in/reader034/viewer/2022050517/5fa0c967ca6f9a1c5c413202/html5/thumbnails/34.jpg)
Extra Notes
Recruitment – hire people That you like Low risk they will embarrass you
• Good skills• Same ‘in group’
31 May 2019 Copyright © Infosec Services Pty Ltd 2019 35