Misperceived risk haunts security programs

The role that people play in security vulnerabilities cannot be underestimated. This was the view of Malcom Harkins, CISO at Intel, who delivered one of the morning keynote addresses at today’s Forrester Security Forum.

What his presentation examined was the nature of the most potent risks organizations face. “There is a unique element to people that creates the most significant vulnerability we face today and in the future. It’s the misperception of risk.”

He continued by acknowledging that this misperception is shared by security professionals, end users, and business leaders alike.

So why do people misperceive risk, Harkins asked? “Risk gets exaggerated or underestimated”, he countered. And the drivers of this misperception are fundamentally economics and psychology based on the individual’s perspective.

He cautioned that security professionals should not go overboard in exaggerating risks, because businesses deal with these types of decisions all the time. Conversely, security practitioners, end users, and management should never underestimate the risks they face either.

A delicate balancing act is required said Harkins, and he implored security pros not to “take a victim’s approach to managing information risk and security”. Instead, he suggested that organizations accept some tenets as “irrefutable laws of information security”:

  1. Information wants to be free: people want to talk, post, and share. Information leaks will still occur regardless of controls, even if they are not intentional.
  2. Code wants to be wrong: We will never have 100% error-free software. There are just too many lines of code. Speaking of apps, Harkins quipped: “How much security do we think is built into something that’s only $.99? Not much!”
  3. Users want to click: If they are connected to the internet, people will click on things (Harkins shared that 4400 of approximately 81000 Intel employees clicked on last week’s “Here You Have” email worm)
  4. Even a security feature can be used for harm. “Controls can cause risk”, Harkins said, admitting that he “worr[ies] about the controls as much as wanting to put them in”.

Far from asking his audience to just throw their hands up in the air in the face of security risks, Harkins shared several techniques he uses to help mitigate threats. First and foremost was objectivity, and the need to approach problem solving without an alarmist’s perspective. Furthermore, security practitioners must see things as they are and without bias, while also maintaining the ability to understand multiple viewpoints.

Harkins closed with a four ‘P’s’ approach to risk mitigation: prediction, persistence, patience, and preparedness.

By implementing proactive measures to identify attacker identity, objectives, and methods, organizations won’t necessarily be blindsided in the event of a security event. A plan for the sustained approach to monitoring security threats is also vital, especially when management underestimates certain vulnerabilities. And even when management does undervalue a perceived risk, security professionals should still be ready with rapid response plan that helps contain, repair, and recover from an incident.

By using these rather objective techniques, Harkins believes it helps security departments remain agile, while also helping them gain influence by appearing to be proactive rather than reactive.

In the end, the Intel CISO’s advice on effective risk management and preparedness is quite simple: “Compromise is inevitable under any compute model. Managing the risk and surviving is the key. “

What’s hot on Infosecurity Magazine?