#RSAC: McAfee CTO Calls for Risk Decisions Based on Science Not Headlines

Written by

McAfee senior vice president and CTO, Steve Grobman, took to the virtual stage at RSA Conference on May 18 with a call to action: reconsider the perception of risk by looking at data, not headlines

Grobman claimed that often the information security industry falls into the trap of perceiving risk based on how threats are portrayed in the media.

“A scientific approach is needed to measure risk and help counteract bias,” he said. Grobman used the example of a micromart as a way of doing this. A micromart is a unit of risk defined as one-in-a-million chance of death. “We can use micromort to challenge our intuition on what is actually risky and what isn’t,” he said.

“Many of our perceptions about risk in cyber are miscalibrated… We need to use science based on data to counteract the influence of social and traditional media and raw emotions,” Grobman warned.

“Organizations worry about all sorts of threats. Mass malware we see every hour. Spear-phishing attacks on critical employees we see every day. And the rare national state-directed attacks that have the potential to be devastating.  

“One observation is that the frequency of an event is inversely proportionate to its impact.”

The impact of a cyber-event, said Grobman, “has multiple levels of nuance. We need to consider the impact to an organization independently from the global impact.”

He gave the examples of WannaCry  and NotPetya, which had catastrophic effects and a global impact on numerous organizations around the world, as they spread fast and were highly disruptive. He also gave the example of other attacks that had a huge impact but only on a solo organization.

“We need to examine the different aspects of the damage that emanates from certain attacks, for example, indirect costs, such as regaining environmental integrity, which can be immense.”

“We need to understand the risk/reward benefits when we choose to engage in high-risk areas,” he continued.

Impact, Scale, Frequency

Grobman suggests a risk model that takes all factors into consideration. “Consider impact, scale and frequency. These are the three vectors that matter,” he explained. “This model is all about risk. Risk is the potential for negative outcome, whereas an event is a historical record of what has occurred. Past events don’t predict future outcomes.”

Many of our perceptions about risk in cyber are miscalibrated… We need to use science based on data to counteract the influence of social and traditional media and raw emotionsSteve Grobman

However, Grobman advised, “they can provide data to scientifically access the likelihood of future scenarios” in order to understand how to prepare defenses.

McAfee did some research into how what we should worry about aligns with what we do worry about. “We analyzed traditional and social media along with the web activity of McAfee data related to threats. We found that many of the high-profile single organization targeted attacks saw a lot of attention.

“Whereas some campaigns such as trickbot get little media coverage, but organizations need to pay greater attention to them. They act as the catalyst for secondary, high impact attack scenarios.”

Media coverage can inform us about emerging global cyber events, said Grobman, “but we need a more science-based approach. We need to comprehensively evaluate the events that impact organizations.”

In addition, Grobman advises that good cyber-hygiene and good user education to prevent everyday threats, are incredibly important. “We need a combination of technology and cyber-operators to defeat the adversary, because no technology on its own can outsmart or outplay an advanced attacker.”

In conclusion, Gobman said it is critical that “the investments we do make have the strongest benefits compared to the risks they are mitigating.

“My call to action for you is this: let’s make the best cyber-defense decisions possible. Yes, watch the news and monitor your Twitter feed, but be hyper-conscious to counter-balance natural instinct reactions driven by media and hype and ensure that every trade-off and decision you make to defend your organization is based on data and objectivity.”  

What’s hot on Infosecurity Magazine?