In the punk anthem “Anarchy in the UK,” the lyrics tell us that punks “Don’t know what I want / But I know how to get it.” This seems exactly like today’s cyber bad guys. Most of the time they’re not even sure what goodies they will get from your network, but they do know how to take advantage of the soft spots to gain access.
Having just returned from the Gartner IAM Summit in London, it was interesting to hear how the analysts are still beating the drum for folks to take a risk based approach to frustrate these cyber punks. The formula is simple. If you make the the hardest to reach assets the ones that would be the most damaging to have exfiltrated, then you stand the best chance of keeping the punks away.
Yes, the professional bad guys may still find a way to steal your stuff. After all, they know what they want *and* how to get it. But bouncing the punks at the door will keep the noise ratio down. The less noise there is, the better chance that analytics will be able to see something is off.
Of course, having a risk based view tells you to concentrate your analytics on the highest risk assets, too. That works out perfectly from an ROI for effort standpoint. While this risk based view may keep some of the anarchy from touching your most prized assets, it’s also going to play havoc with your traditional cyber security programs.
Most security programs have not been built with a risk based approach. Security programs have, for the most part, been wall building exercises. IT security leaders and practitioners have posited that if we prevent the punks and professional bad guys from breaching the walls, then the rest is less important. That may have been the case a decade ago, but the era of mobile, cloud, constant access, and apps everywhere has turned the walls into sieves and seen the “soft center” move the very edge of our networks and beyond.
What the crowd seemed to be asking for when the analysts were saying to shift to risk based thinking was a way to get their leadership to agree. A wall seems like such a natural response to people getting in. We know the wall will not do it. How do we get others to see?
Thinking Fast and Secure
It wasn’t until the very last session of the conference that many got their answer. There was a closing keynote on the “future of work.” But the thing that had folks talking in the hallway was the ideas it invoked from one of my favorite thinkers: Daniel Kahneman. The speaker had obviously read “Thinking, Fast and Slow,” a book that explores how people’s ways of thinking effects our everyday world and how we approach everything from policy to exercise.
The speaker took a thought experiment right from the book asking the crowd this question:
If a baseball bat and a ball cost a total of $1.10, and the bat costs $1 more than the ball, then how much does the ball cost?
What this question is meant to do is show you the difference between system 1 and system 2 thinking, as Kahneman calls them. System 1 is the associative, instinctual thinking that tells you that “2 + 2” is “4” without any effort. System 2 is the type of thinking we engage when asked “38 x 234?” I won’t answer that, but you know you had to think a lot harder, a lot slower, than for “2 + 2.” System 2 is effortful, and we don’ like to use it.
So how much does that ball cost? Most people will say 10 cents, reasoning the $1 more is in fact $1 total cost for the bat. But that’s wrong. You tried to use system 1 and got burned because system 1 wants to be lazy and ignore the word “more” in the question. In order for the bat to be a whole $1 more than the ball, then the ball must be 5 cents ($.05 ball + $1.05 bat = $1.10 total, where $.10 ball + $1.10 bat = $1.20 total).
What’s this got to do with our risk based security and the anarchy it’s poised to cause in your IT security program? The building walls versus using risk is a more complicated ball and bat problem. Most want to use system 1 for “the bad guys are getting our stuff” problem. System 1 says “keep them out with a wall and it’s all good.” Then it digs in its heels and gets mad when things don’t work out.
You must force your organization to use system 2 and think this through. How? Just like with the ball and bat, you must show them the numbers and tell them the right stories. Make them look at the real numbers. You can start with the always excellent Verizon Data Breach Report or even our own RSA Conference 2016 Cyber Security Survey. No one who sees these numbers can feel a wall is the right answer any more than they can argue the ball costs 10 cents.
Good security policy thinking will almost always be slow, system 2 thinking. Every one of these numbers is attached to a story that will make them feel like it could be them next. It’s terrible that IT security folks are forced into being the scaremongers, but sometimes fear is the best way to mobilize system 2 and prevent all that anarchy we want to avoid.