I'm pretty sure that we don't have the faintest idea what's going through the heads of IT and even IA folks when they make risk decisions. From the fairly common results, I can say that much of the time, it's wrong, but I don't know HOW it's wrong so I'm not sure what needs correcting in the intricate jumble of education, social reinforcement and organizational baggage that's in the head of everyone (including myself) that makes risk decisions that affect the safety of your personal information.
The way we treat security incidents is pretty dysfunctional in many ways, but for today's ramble I'm really just thinking about the fact that when we do root cause analysis (you're doing root cause analysis, right?) we seem to ignore a step in the chain that could have prevented the whole problem in the first place -- a risk management decision that correctly interpreted the risk as well as the likelihood. If that had happened in most cases, steps would have been taken to prevent the mess you find yourself in. Oh, you say that the risk analysis was flawless and folks just failed to act? I've seen that happen too, in which case need to try and understand how management interpreted:
1. Anvil falling from the sky
2. We are standing where it will land in 10 seconds from now (assuming 9.8 meters per second squared acc.)
3. It looks like a heavy anvil and will hurt when it hits us.
...and came up with the strategy "Stay where we are, we've never been hit by an anvil in the past." In all scenarios, someone isn't thinking the right thing, and we need to figure out what that is to even begin to understand how to correct it.
An example of a field where folks have thought about the fact that almost NOBODY instinctively thinks correctly about the topic is probability and statistics. They've thought about it, and come up with a way of figuring out exactly what wrong thinking is going on in some test cases. Here's an example:
Most people get this wrong (from a paper by Linda S. Hirsch and Angela M. O'Donnell in Journal of Statistics Education Volume 9, Number 2 (2001)):
If a fair coin is tossed six times, which of the following ordered sequences of heads (H) and tails (T), if any, is LEAST LIKELY to occur?
- H T H T H T
- T T H H T H
- H H H H T T
- H T H T H H
- All sequences are equally likely.
It’s a semi-standardized question to reveal what misconception a person might have about calculating probability. #5 is correct, but a lot of folks will pick #3, as it "doesn’t seem sufficiently random". The diagnostically useful questions regarding WHY they answer what they did are something like:
Which of the following best describes the reason for your answer to the preceding question?
1. Since tossing a coin is random, you should not get a long string of head or tails.
2. Every sequence of six tosses has exactly the same probability of occurring.
3. There ought to be roughly the same number of tails as heads.
4. Since tossing a coin is random, the coin should not alternate between heads and tails.
5. Other _____________________________________
If we wanted to understand how the average (or even average IT person) thinks about risk, it would be helpful to come up with similar tests.
