docCogInjection - Protecting a Better Internet
download 
Report Transcription
CogInjection - Protecting a Better Internet
Cognitive Injection: Herding Lizards for Fun, Profit, and Safety Andy Ellis Chief Security Officer @csoandy Stupid Why Do People Make “Bad” Decisions? Incomprehensible Business Owner Security Modal bias! @csoandy A typical business risk conversation Business Owner Here is my project. Is it safe? That’s really long. Can you fill it out for me? Really? Is that a showstopper? @csoandy Security Here’s our ISO 27002 checklist of every mistake anyone’s ever made. Prove you haven’t. Sure. You have a bunch of esoteric risk here. If I say yes, you’re going to override me, aren’t you? And if I say no, I’m in trouble if this goes wrong... Security Poverty Line Organizations that don’t have enough resources to implement perceived basic security needs. Security Subsistence Syndrome “I can’t even do the barest minimum to cover my ass, so I’d better not do anything but cover my ass.” Accruing Technical Debt With every step forward, the undone work increases risk and makes future steps harder. This is a dangerous way to operate! @csoandy Historical paranoia “Monkey on rope ladder” © CC-BY-SA 2010 Rachel Coleman Finch @csoandy The economics of the Prisoner’s Dilemma Cheat Cooperate 13% of the *me! @csoandy Cooperate Cheat -‐3 -‐3 -‐1 -‐10 -‐10 -‐1 -‐5 -‐5 40% of the *me! Adding value: “measuring” a security program @csoandy Security value balances perceived risk @csoandy SECURITY VALUE PERCEIVED RISK Tolerance of perceived risk drives to a stable equilibrium How much security is “good enough”? “Perfect” security SECURITY VALUE What you need to fend off a persistent adversary Where a good assessor can help you “Good” security Sufficient against the casual adversary Enough to convince a serious auditor Enough to fool the standard auditor What your organization thinks it can get away with @csoandy How much security is “good enough”? “Perfect” security SECURITY VALUE What you need to fend off a persistent adversary Where a good assessor can help you “Good” security Sufficient against the casual adversary Enough to convince a serious auditor Enough to fool the standard auditor What your organization thinks it can get away with @csoandy Peltzman Effect What your organization thinks thinks it can get away with Organizations don’t think: @csoandy People do. Thinking, Fast and Slow Or do they? @csoandy System 1: The Fast Lizard-Brain @csoandy System 1: The bigot @csoandy System 1 vs System 2 LEFT LEFT LEFT LEFT @csoandy RIGHT RIGHT RIGHT RIGHT System 1 vs System 2 @csoandy LEFT LEFT LEFT RIGHT RIGHT RIGHT RIGHT LEFT System 1 in action Annual Security Awareness Training is required by all employees to ensure your compliance with the security policies of the company while conducHng your daily tasks in furtherance of our goals to protect company data, systems, and informaHon against malfeasance, adversarial acHon, and other systemic failures that might be introduced by an inaLenHon to appropriate risk management acHviHes or non-‐compliance with industry standard best pracHces as laid out in various control frameworks such as ISO 27002, PCI, HIPAA, SOX, SSAE-‐16, NIST 800-‐53, FedRAMP… @csoandy It’s not a ROSI scenario $5B .01% N/day! Loss: $5M Probability: 10%/yr $50K $14K maintenance ALE: $500,000 10% reducHon in events Cost:$26K/yr Savings:$50K/yr @csoandy people What do organizations consider risk? lizards Business Owner Is my P/L good? Will I gain market share? Sales Can I meet my quota with this? Employees Will I have a job? @csoandy CEO Is this profitable? CFO Is this a good allocation of resources? Security Is this safe? PERCEIVED RISK SECURITY VALUE Set-point theory of risk tolerance Perceived risk tolerance seeks a stable equilibrium! @csoandy SECURITY VALUE PERCEIVED RISK A C T U A L R I S K* Unmitigated Risk Psychosis *not actually actual risk Attempts to leave residual risk may result in new risk budgets! @csoandy SECURITY VALUE PERCEIVED RISK ACTUAL RISK Training Lizards Risk management is like muscle memory. @csoandy Perceived Risk vs. Actual Risk “FUD” PERCEIVED awareness threat ignorance stealth improvements risk reduction security theater ACTUAL @csoandy known vulnerability blind compliance Actual Prisoners in a Dilemma Cheat Cooperate 30% of the *me! @csoandy Cooperate Cheat -‐3 -‐3 -‐1 -‐10 -‐10 -‐1 -‐5 -‐5 19% of the *me! Where is your residual risk? Business Owner Competitors are gaining. Have to move faster! Sales That last product didn’t sell. I’ll sell something else. Employees This business is unprofitable. Update my resume! @csoandy CEO Products A & B are high risk. C should be safer. CFO You came in over budget. Are your numbers accurate? Security Here’s our ISO 27002 checklist of every mistake anyone’s ever made. Prove you haven’t. A better business risk conversation Business Owner Here is my project. Is it safe? Wait, what? Security I don’t know. Is it? Here’s how to think about safety. Do you think your product is safe? Ummm.... Here’s my assessment of my risk. I think this is reasonably safe. @csoandy Great, glad to hear it. Can you fix those outliers in your next release? How do you get better? @csoandy Takeaway: Improve security value ! ! Andy Ellis [email protected] @csoandy http://www.csoandy.com/ Goal of any security program: dv/dt > 0 Below the Security Poverty Line, we see Security Subsistence Syndrome: relying on resources, not capabilities. Goal: dr/dt > 0 A good security program wants to create surplus. Goal: dc/dt > 0 @csoandy Questions, Answers, and Pontifications ! ! Andy Ellis [email protected] @csoandy http://www.csoandy.com/ @csoandy
