Risk Management: Cognitive Miser(y)
I have been extremely fortunate to have been introduced to the profession of security management through my career in the RAF Police. Strangely, it was not until I had left the Royal Air Force (after 22 years) that I started to hear security being focused on security control frameworks and compliance.
Previously, I had been taught to look at the risks first and then start to develop mitigation controls. Now we all can appreciate that for effective risk management, we need to understand the following:
What is the perceived value of the assets needing to be protected?
What are the threats to these assets?
What vulnerabilities are associated with these assets?
What are the potential impacts, should one or more of these threats be leveraged against these assets?
Only when you understand these elements can you hope to appreciate whether (or not) you are comfortable with the level of exposure (Inherent Risk) and whether this is within your level risk appetite. If not, then you need to identify some suitable mitigation controls to reduce the risks to within a range in which you are comfortable (Residual Risk).
Having selected and implemented the appropriate controls (to bring down the risks to the appropriate levels) you are then left to manage the control risks to help safeguard ongoing secure business operations.
Now it is clear that RISK plays such an important part in the defense of the assets that are important for a business's success. So why is it then that these businesses appear to be putting the horse before the cart and are more focused more on the security controls frameworks and compliance, rather than on putting the correct amount of effort into risk management.
During the investigation into the Deep Water Horizon's explosion, a failure was attributed to the cognitive miser's approach in regard to risk assessment:
They failed to imagine how small failings compile up to form a catastrophe.
They became accustomed to risk. Due to the seemingly smooth current situation (unconsciously adjusted their acceptance of risk).
They over-expressed their faith and confidence in the systems' backups and safety devices.
They regarded complicated technical systems in line with complicated (ineffective) governing structures.
When concerned with a certain issue, they tended to spread the good news and hide the bad news;
People within the same field tended to think alike (echo chamber), regardless of whether they are supervising this project or not.
What is Cognitive Miser?
The term 'Cognitive Miser' is used to describe the human behavioral trait where the brain looks to cut corners, using more simplistic approaches, rather than to employ more sophisticated or effort-intensive ways to problem solve.
However, given the importance risk provides in safeguarding your organization and making sure that the correct controls are applied, is this something that you really want to take shortcuts with?
Wiser Words Were Never Spoken
Whilst transitioning from the RAF Police to the corporate environment, I embarked on a Master of Science (MSc) in Security Management, with Loughborough University. As part of this course, there were a number of on-campus events, where guest speakers were invited to share the knowledge with the students.
In one such event, one of the guest speakers just happened to be a former boss of mine (Air Officer Security & Provost Marshall (RAF), Peter Drissell). In his presentation, he mentioned a phrase that really resonated with me and helped me to reframe my approach to security management.
What did he say that was so inspiring, I hear you ask?
"Security is something that is often perceived by business leaders as being:
Expensive and Invisible!
That is, until it goes wrong!
Then it becomes very visible and considerably more expensive."
Never has this been more relevant than with businesses that take a lazy approach to risk management. They fail to realize that by dedicating more effort and applying a more sophisticated approach to risk management, the business will start to get the visibility for their investments in the defenses, will start to appreciate the proportionality of the mitigation controls (return on investment), and will observe the perceived risk reductions.
Take a look at your Risk Management practices and their output and ask yourself the following:
Do these assessments feel like they are not representing the interests of the business?
Do they provide sufficient visibility as to the business risks?
Are they control-focused risks?
Do the risk assessments feel like they are lacking in detail so that you can't make informed decisions as to the best course of action?
Does it feel like these risk assessments have adopted a too simplistic approach?
Does it feel like the risk assessment is a 'Hunch' or like someone has held their 'finger in the air'?
In response to the increasing threat landscape and the growing number of cyberattacks, it is never been more important for organizations to apply the correct amount of effort to their risk assessments and to resist the attraction of focusing on security controls and compliance.
A great example of this being the vast amount of payment card processing organizations, who once they become Payment Card Industry Data Security Standard (PCI DSS) compliant they feel that they are impenetrable and cannot ever be breached. Yet, we are still seeing a great deal of "PCI DSS Compliant" businesses that are becoming victims of an opportunist threat actor.
It is important to remember that the Payment Card Industry Security Standards Council (PCI SSC) have done most of the leg work for these businesses and have identified a large number of the main risks that are associated with payment card operations, and have created a catalog of security controls for these business types.
However, it is inconceivable that they could identify each and every risk, for each and every payment card operation, so that they could provide every conceivable mitigating security control. Consequently, the 'Cognitive Miser' approach to PCI DSS compliance is to 'Tick The Boxes' for the bare minimum of PCI DSS controls that need to be applied to your payment card operations.
As you can see sufficient effort and investment into your risk management practices can help ensure that you understand the perceived risks to your business and that you can make informed decisions as to the best courses of action that are suitable and appropriate to your organization.
If you want to learn more about this concept, you can always have a read of my books:
PCI DSS: An Integrated Data Security Standard Guide.___________________