Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Risk Assessment & the Human Condition

Five lessons the coronavirus pandemic can teach security professionals to better assess, monitor, manage, and mitigate organizational risk.

When I was in graduate school, my statistics professor repeatedly told the class: "People are notoriously bad at assessing risk." The COVID-19 pandemic is an excellent opportunity to understand this point in the context of current events.

As of late-May, the number of people killed by the coronavirus in the US stood at around 100,000. Let's assume that these deaths occurred over a two-month period (April through May). Based on that assumption, we can extrapolate out that the number of deaths on an annualized basis will be around 600,000 people.

Of course, 600,000 is a very conservative estimate, as it may very well be that the pandemic has already peaked in the US and the rate of new deaths will decline sharply. One corona model predicts the number of deaths through early August at 143,360. If we extrapolate that out, we arrive at an annualized death total of about 300,000. Half of the death toll we get to by extrapolating out two months' worth of data.

For comparison, let's take a look at the leading causes of death in the US, along with the number of people killed, per the CDC:

● Heart disease: 647,457
● Cancer: 599,108
● Accidents (unintentional injuries): 169,936
● Chronic lower respiratory diseases: 160,201
● Stroke (cerebrovascular diseases): 146,383
● Alzheimer's disease: 121,404
● Diabetes: 83,564
● Influenza and pneumonia: 55,672
● Nephritis, nephrotic syndrome, and nephrosis: 50,633
● Intentional self-harm (suicide): 47,173

COVID may end up somewhere in the middle of that chart, though time will tell. But despite what the numbers indicate, chances are that the number of people that are afraid to go to Ikea right now due to COVID-19 is far greater than the number of people that are afraid to eat unhealthy foods and skip their workout, even though that is statistically far deadlier.

Looking beyond the current pandemic, we can easily find additional examples of how people struggle to properly assess risk. If you're like me, you've met people who are afraid to fly. Yet I don't believe I've ever met anyone who is afraid to ride in a car.

Is that rational? Let's take a look at the numbers: An average of 102 people per day died (37,461 per year) in car accidents in 2016. On the other hand, 393 people died in civil aviation accidents in 2018.

Despite these numbers, some people are afraid to fly on planes, while those very same people may have no problem driving, often recklessly or while distracted or drowsy. This is the case even though your chance of dying in a plane crash is 95 times less than your chance of dying in a car accident!

I could go on, but I believe you understand my point. You might be asking yourself what this has to do with information security. That is a fair question. The coronavirus pandemic gives us a unique opportunity to learn an important security lesson: as people, we are bad at assessing and understanding risk. If we struggle with it in the kinetic world, what makes us so convinced we will succeed at it in the security realm?

This is an important mindset to have when working to assess, monitor, manage, and mitigate risk in your organization. In this spirit, I've identified five strategies to keep security professionals objective and honest when it comes to risk:

Show me the money: When it comes to risk, we need to start by looking at what threats the business face and what is their potential damage from these threats. This generally comes down to money. The type of statements we should be looking to build are: If threat X happens, it will cost Y in damage. That allows us to objectively quantify the potential damage from each threat. That's the first step in seeking to overcome our irrational human nature when it comes to risk assessment.

Model: Once damage has been quantified, models can be developed to assess and quantify risk. This, in turn, allows us to prioritize our resources. Models allow us to understand the potential impact different threats have on the business, as well as how different variables and conditions may affect that risk. Models are very useful as the threat landscape changes. In particular, when a high-publicity threat comes along, models allow us to tune out the noise and hype in order to focus far more objectively on risk.

Measure: When looking to monitor risk, metrics are extremely important. For each key risk, metrics should be developed to keep a close watch on that risk. Ensure that each metric is objective, relevant, and provides an accurate measure of the risk it is designed against. Group or aggregate metrics into families that allow you to monitor different classes or families of risks. Make sure that your metrics are designed in a modular way, such that they can be rolled-up in a variety of ways for different audiences.

Use math: Math is nothing to be afraid of when it comes to security. In fact, it can be our best friend when looking to manage risk. Develop objective ranges for your metrics. Score metrics regularly against these ranges. When certain risks begin to get too far out of range, look to mitigate them.

Report: No matter how objective and accurate your risk practice is, you'll need something to keep you honest. Report regularly and objectively to several different audiences to ensure that you have an accurate read on the risk picture, as well as the appropriate input from stakeholders. This ensures that you won't let your human subjectivity creep into your risk management practice.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.