Upload
jordan-schroeder
View
604
Download
1
Embed Size (px)
Citation preview
HOW NEAR-MISS BIAS AFFECTS RISK-BASED DECISIONS
JORDAN SCHROEDER, CISSP, CISM
INTRO
WHO AM I
▸ Member of the GRC team at Visier, Inc
▸ Moderator of Security StackExchange
▸ Former teacher, actor, singer, director, Coast Guard Officer, undertaker, database designer, tax preparer, business owner, day trader
▸ http://www.linkedin.com/in/schroederjordan
▸ http://security.stackexchange.com/users/6253/schroeder
▸ https://gophishyourself.wordpress.com
INTRO
RISK IS NOT ENOUGH
▸ You’ve done your calculations
▸ You’ve drafted a clear report
▸ Your research shows that a Threat is not going away
▸ You present your report expertly to decision makers
▸ They make the wrong decision …
▸ Why??
INTRO
RISK IS NOT ENOUGH
▸ Data alone does not result in appropriate action
▸ Data is interpreted by the audience through a number of filters
▸ Those filters determine the resulting action
▸ “Near-Miss Bias” is a unique filter that requires specific handling
INTRO
THIS PRESENTATION IS A SUMMARY OF:
2008
How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Robin L. Dillon
Catherine H. Tinsley
McDonough School of Business, Georgetown University, Washington, D.C. 20057
INTRO
THIS PRESENTATION IS A SUMMARY OF:
2012
How Near-Miss Events Amplify or Attenuate Risky Decision Making Robin Dillon-Merrill
Catherine H. Tinsley
Mathew A. Cronin
McDonough School of Business, Georgetown University, Washington, D.C. 20057
WHAT IS IT?
WHAT IS IT?
COLUMBIA SHUTTLE DISASTER 2003
WHAT IS IT?
COLUMBIA SHUTTLE DISASTER 2003
▸ Shedding of tank foam during ascent happened frequently
▸ Caused by debris hitting the tanks
▸ “With each successful landing, it appears that NASA engineers and managers increasingly regarded the foam-shedding as inevitable, and as either unlikely to jeopardize safety or simply an acceptable risk.”
▸ (Columbia Accident Investigation Board Report, Volume 1, 2003, p. 122)
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
WHAT IS IT?
COLUMBIA SHUTTLE DISASTER 2003
▸ Probabilistic analysis performed in 1990 determined that debris strikes could be catastrophic
▸ Foam loss occurred on 10% of flights
▸ Damage to foam every flight, with an average of 143 divots per flight
▸ How could this ‘obvious’ problem be overlooked?
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
WHAT IS IT?
NASA EXPERIMENT
▸ Information Management Business students (with training in stats and probabilities) put through a simulation where they have to navigate the Mars Rover from one crater to another
▸ Each simulated day, given a weather report, the participant needed to decide to stay or move on given the weather’s chance of causing a wheel failure
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
WHAT IS IT?
NASA EXPERIMENT
▸ Those who ‘survived’ the risky choices were more prone to making riskier decisions for the next day
▸ Even when presented with the probabilities afresh each day, participants still incorporated the previous successes into their decisions, even if they did not make as many risky decisions
▸ When given the choice of knowing Near-Miss data or other data, participants were less likely to seek other data
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
WHAT IS IT?
NEAR-MISS
▸ People tend see events as linked and not independent
▸ “hot streaks”
▸ People with Near-Miss information tend to skew towards riskier decisions
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
WHAT IS IT?
NEAR-MISS
▸ People do not ignore the other data
▸ People use the data from the Near-Miss events as a source of optimism
▸ More Near-Miss data exacerbates the problem
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
WHAT IS IT?
NEAR-MISS SPECULATION: BAYES
▸ Near-Miss data incorporated with statistical data
▸ Like an inherent Bayesian analysis
▸ “My successes were because the probabilities were general and not applicable to my specific situation. My probabilities are different.”
▸ (Stats) x (Near-Miss adjustment)
▸ version of the Gambler’s Fallacy
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
WHAT IS IT?
INFOSEC NEAR-MISSES
▸ Viruses caught on endpoints
▸ Brute-force attempts
▸ “Background radiation”
▸ Phishing domains
▸ Vishing calls
WHAT IS IT?
INFOSEC NEAR-MISSES
▸ “We have never had a breach”
▸ that we know about …
▸ “All these alerts are just noise”
▸ Incident Response teams are absorbing a lot of budget in hunting down all these false positives
▸ “They are just script-kiddies who don’t know what they are doing”
▸ There is no real threat
MISS - COMMUNICATING
MISS - COMMUNICATING
NEAR-MISS COULD BE INTERPRETED TWO WAYS
▸ Disasters that did not occur
▸ Resilient Risks
▸ “Yay! I didn’t die!”
▸ Disasters that almost happened
▸ Vulnerable Risks
▸ “OMG! I almost died!”
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
MISS - COMMUNICATING
RESILIENT RISKS
▸ Results in riskier behaviours
▸ Reduction in mitigating behaviours
▸ Explicit Likelihood calculations do not change
▸ merely quietly ‘enhanced’ with a Bayesian factor when there is a call to action
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
MISS - COMMUNICATING
THE HIDDEN CALCULATION
▸ You present your risks
▸ You present your calculations
▸ Your audience agrees with it all
▸ Your audience quietly applies their own Bayesian Near-Miss factor
▸ Your audience then decides
▸ budget, personnel, InfoSec projects, etc.Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
MISS - COMMUNICATING
PRESENT VULNERABLE RISKS
▸ If Near-Miss information was communicated as Vulnerable Risks, (“we almost died!”):
▸ and if the audience accepts that framing
▸ the effects of Resilient Risks are countered
▸ more mitigating behaviours are used
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
MISS - COMMUNICATING
VULNERABLE CHALLENGES
▸ The audience might not accept your framing
▸ becomes a messaging issue
▸ Creates a tone of negativity (less fun, less value)
▸ The mitigations become devalued!
▸ The messenger becomes devalued!
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
MISS - COMMUNICATING
COMMUNICATING RISK
▸ Focus on the Probabilities
▸ Frame past events as independent and not a chain
▸ Focus on the potential impact
▸ Frame Near-Misses as Vulnerable Risks
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
MISS - COMMUNICATING
COMMUNICATING RISK - JORDAN
▸ Focus on Procedural Resiliency
▸ Combat Vulnerable Risk negativity by celebrating the resiliency of the Risk process
▸ “Yay! We are surviving because we are using the right mitigations!”
▸ Make insurance sexy
MISS - COMMUNICATING
COMMUNICATING RISK - JORDAN
▸ Our detective controls are working!
▸ IR teams have confirmed that our users, our data, and our systems have not been compromised
▸ Our defences are effective against script-kiddies
▸ What are they not effective against?
NEAR-MISS AS RISK ASSESSMENT
MISS - ASSESSMENT
CHEAP DISASTERS
▸ Treating Near-Misses as Resilient Risks means that one might ignore them
▸ Instead, treat them as Actualized Risks for purposes of Risk Assessment
▸ Disasters that don’t cost the organization anything
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
MISS - ASSESSMENT
CHEAP TRICKS
▸ Often the same pre-conditions as a real disaster
▸ Easy way to identify hazardous conditions
▸ Encourage and reward the reporting of Near-Misses
▸ Helps to encourage an organizational culture of safety
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
MISS - ASSESSMENT
EXAMPLE IN INFOSEC
▸ A/V alerts that it caught a virus in an email attachment
▸ not executed, no actualized risk
▸ Every once in a while, treat it as though it was an actual infection
▸ Run the Incident Response process
▸ great training for new members
▸ Identify all vulnerable areas that were involved
MISS - ASSESSMENT
EXAMPLE IN INFOSEC
▸ Recalibrate the Risk Assessments of that area
▸ Mitigate vulnerable areas
▸ Trains everyone involved
▸ Streamlines the processes
▸ Encourages a culture of safety
▸ Old-fashioned fire drill but with a real threat
SUMMARY
SUMMARY
NEAR-MISS
▸ Past events seen as linked
▸ Near-Misses used to adjust probabilities
▸ Near-Miss data preferred over other data
▸ Used to justify riskier behaviours
SUMMARY
COMMUNICATING NEAR-MISS
▸ Focus on Probabilities
▸ De-link events
▸ Focus on potential harm
▸ Shift to Vulnerable Risks
▸ Focus on Procedural Resiliencies
▸ Combat negativity
SUMMARY
NEAR-MISS ASSESSMENTS
▸ Treat Near-Misses as opportunities
▸ Cheap Disasters
▸ Fire Drills
▸ Identify Vulnerable areas
▸ Communicate the importance of reporting Near-Misses
▸ Encourage a culture of safety
THANK YOU &HAPPY RISKING!