When I was in graduate school, my statistics professor repeatedly told the class: “People are notoriously bad at assessing risk.” The COVID-19 pandemic is an excellent opportunity to understand this point in the context of current events.
As of late-May, the number of people killed by the coronavirus in the US stood at around 100,000. Let’s assume that these deaths occurred over a two-month period (April through May). Based on that assumption, we can extrapolate out that the number of deaths on an annualized basis will be around 600,000 people.
Of course, 600,000 is a very conservative estimate, as it may very well be that the pandemic has already peaked in the US and the rate of new deaths will decline sharply. One corona model predicts the number of deaths through early August at 143,360. If we extrapolate that out, we arrive at an annualized death total of about 300,000. Half of the death toll we get to by extrapolating out two months’ worth of data.
For comparison, let’s take a look at the leading causes of death in the US, along with the number of people killed, per the CDC:
● Heart disease: 647,457
● Cancer: 599,108
● Accidents (unintentional injuries): 169,936
● Chronic lower respiratory diseases: 160,201
● Stroke (cerebrovascular diseases): 146,383
● Alzheimer’s disease: 121,404
● Diabetes: 83,564
● Influenza and pneumonia: 55,672
● Nephritis, nephrotic syndrome, and nephrosis: 50,633
● Intentional self-harm (suicide): 47,173
COVID may end up somewhere in the middle of that chart, though time will tell. But despite what the numbers indicate, chances are that the number of people that are afraid to go to Ikea right now due to COVID-19 is far greater than the number of people that are afraid to eat unhealthy foods and skip their workout, even though that is statistically far deadlier.
Looking beyond the current pandemic, we can easily find additional examples of how people struggle to properly assess risk. If you’re like me, you’ve met people who are afraid to fly. Yet I don’t believe I’ve ever met anyone who is afraid to ride in a car.
Is that rational? Let’s take a look at the numbers: An average of 102 people per day died (37,461 per year) in car accidents in 2016. On the other hand, 393 people died in civil aviation accidents in 2018.
Despite these numbers, some people are afraid to fly on planes, while those very same people may have no problem driving, often recklessly or while distracted or drowsy. This is the case even though your chance of dying in a plane crash is 95 times less than your chance of dying in a car accident!
I could go on, but I believe you understand my point. You might be asking yourself what this has to do with information security. That is a fair question. The coronavirus pandemic gives us a unique opportunity to learn an important security lesson: as people, we are bad at assessing and understanding risk. If we struggle with it in the kinetic world, what makes us so convinced we will succeed at it in the security realm?
This is an important mindset to have when working to assess, monitor, manage, and mitigate risk in your organization. In this spirit, I’ve identified five strategies to keep security professionals objective and honest when it comes to risk:
Show me the money: When it comes to risk, we need to start by looking at what threats the business face and what is their potential damage from these threats. This generally comes down to money. The type of statements we should be looking to build are: If threat X happens, it will cost Y in damage. That allows us to objectively quantify the potential damage from each threat. That’s the first step in seeking to overcome our irrational human nature when it comes to risk assessment.
Model: Once damage has been quantified, models can be developed to assess and quantify risk. This, in turn, allows us to prioritize our resources. Models allow us to understand the potential impact different threats have on the business, as well as how different variables and conditions may affect that risk. Models are very useful as the threat landscape changes. In particular, when a high-publicity threat comes along, models allow us to tune out the noise and hype in order to focus far more objectively on risk.
Measure: When looking to monitor risk, metrics are extremely important. For each key risk, metrics should be developed to keep a close watch on that risk. Ensure that each metric is objective, relevant, and provides an accurate measure of the risk it is designed against. Group or aggregate metrics into families that allow you to monitor different classes or families of risks. Make sure that your metrics are designed in a modular way, such that they can be rolled-up in a variety of ways for different audiences.
Use math: Math is nothing to be afraid of when it comes to security. In fact, it can be our best friend when looking to manage risk. Develop objective ranges for your metrics. Score metrics regularly against these ranges. When certain risks begin to get too far out of range, look to mitigate them.
Report: No matter how objective and accurate your risk practice is, you’ll need something to keep you honest. Report regularly and objectively to several different audiences to ensure that you have an accurate read on the risk picture, as well as the appropriate input from stakeholders. This ensures that you won’t let your human subjectivity creep into your risk management practice.
Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for … View Full Bio