Interesting info security insights come from unlikely sources.
For today’s aside, I submit Barry Ritholtz‘s talk to a group of ETF bankers titled “Fixing Your Clients’ Behavior.” The big idea behind Barry’s talk is that we tend to fear the wrong things. Certain types of events loom larger in our psyches than they should, given their actual mathematical likelihood and total impact on our lives.
Take sharks. Americans are terrified of shark attacks. Ridiculously so. In fact, 38% of Americans polled won’t swim in the ocean because of it. However, if Americans were paying attention to the numbers, there’s another terror that should worry them more:
Yes… Selfies. Selfies are deadlier than Sharks, Vending Machines, Football, Skateboarding. Hell, selfies are deadlier than MOUNT EVEREST! (To be fair to Mount Everest, I’m confident that its kill-ratio is higher. You da man, Everest).
It goes without saying that Selfies (and Sharks, and Erotic Asphyxiation) are certainly more deadly than domestic terrorism by immigrants from seven certain countries. Those immigrants caused 0 (zero) terror fatalities in the USA in 2016. And zero again in 2015, zero in 2014, zero in 2013, zero in 2012, zero in 2011, zero in 2010, zero in 2009, zero in 2008, zero in 2007, zero in 2006, zero in 2005, zero in 2004, zero in 2003, zero in 2002, zero in 2001, zero in 2000, zero in 1999, zero in 1998, zero in 1997, zero in 1996, zero in 1995, zero in 1994 …
(You get the point.)
Humans (even professional information security humans, or CISO humans, or SOC leader humans) are notoriously poor at judging actual risk. It’s not their fault. It’s the way our brains are wired. We feel, we hope, we follow hunches, we assume things. But we don’t have to be ruled by our hunches.
That’s why it’s so important to instrument security in the enterprise so that you can get the hard data you need to make rational decisions based on empirical data – not assumptions. If you’re spending $20M a year on information security products and services, wouldn’t it be nice to have hard numbers on what parts of your CURRENT defensive stack are working, what’s not, and where your future dollars might be best spent?
Just ask a friend to take your picture, OK?