Wow, we sure suck at risk assessment. While I am not claiming to be an expert at risk assessment, I can definitely say that the security industry is doing a pretty bad job at it.

Okay I guess I am making blanket statements, but in my defense I think it is more than obvious the security industry is not doing a very good job. Also this is the Internet and this is my blog, so deep down I probably think I am an expert. Like most Internet experts with blogs, I will provide no answers here. However I will try to provide some insight into my grand proclamation regarding said suckage.

It is in our nature as fragile humans to worry about things that can harm us. But we tend to focus on the more spectacular than the mundane. The flashy stuff gets the attention. And I can prove it to you.

When you think of physical safety, what leaps to mind? Is it the prevention of your own murder? You just ate a fine meal at the restaurant, and are walking back to your car. It is dark. It is late. You remember your mother’s warnings about such situations, you remember those scary movies and television shows which all start with someone making that lonely walk in the dark. You are probably thinking about your own murder. Statistically speaking, when you die there is a 1 in 229 chance it will be murder that brought on your death. Yikes, that seems fairly likely. However, there is a much greater chance - 1 in 92 - that your death will be brought on by suicide. Most of us figure we’ll die by murder over suicide, right?

Truthfully, you should have been thinking about what you ate at that restaurant. Coming in as the most likely way to die, there is a 1 in 6 chance your death will be the result of heart disease.

Our security industry is a lot like that. Most marketing campaigns talk to you about the murders, with little focus on your diet. Most security vendors are selling you piece of mind by preying on your fears. And when you install that new chunk of expensive hardware, or push out that piece of software to the enterprise, you feel safer - especially if the vendor points their assessment tool at your network and happily reports nothing but green lights and smiley faces. I’ve worked for security vendors selling solutions, and I’ve worked for large companies that are trying to protect assets and feel a little safer. I’ve seen both sides of this.

Risk assessment deals a lot with weighing the likelihood of a bad security event versus your budget. You are dealing with vendors that are selling solutions to something, and they will try to convince you that their solution is the best - even if you have determined that you need to focus on one type of risk and they sell a solution for another. Complicating things can be your C level bosses pointing at scary headlines about security incidents that made the news - these bosses may not be the most technical, and maybe they just want to feel better. I mean, they read that article on the plane about those new anti-murder blankets, and sit there eating fast food while telling you to look into those blankets. And you have to think of a way to slap that chimichanga out of their mouth and hand them a healthy salad. Good luck.

Our culture perpetuates this with the portrayal of invincible hackers in the movies and on television shows, the focus of security conferences on the newest attack instead of defense, and the flavor of marketing associated with the scary versus the truly needed. It doesn’t help when we infosec folk are pressed about some obscure attack scenario and we have to state to a decision maker “Well, technically yes it could happen…” because then we’re buying a semi trailer full of anti-murder blankets.

There is something to be said for feeling safe - I get that. But I would place more emphasis on addressing the most likely risks to your organization. Some people might think I am referring to the basics, but I am referring to addressing the things you need to have in place first. If you are not patching systems quickly and not handling BYOD or remote access well, maybe these are basics. If you store large amounts of personal customer data on cloud services you administer, maybe your primary emphasis needs to be there and not on nation state attacks. You need to properly assess your risks.

When doing risk assessment remember the murder, suicide, and heart disease thing. It helps. And the picture I used above that shows the shark sighting warning sign? Death by shark is 1 in 8,000,000. If you want to feel safe, don’t go in the water. If you do go in, I hope you waited at least thirty minutes after eating, and that you made it a salad instead of a chimichanga.

On a related side note, I will be speaking at Enigma 2019 where I will be talking about physical security metaphors for the infosec industry. I hope to see you there!