Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Risk Assessment & the Human Condition

Five lessons the coronavirus pandemic can teach security professionals to better assess, monitor, manage, and mitigate organizational risk.

When I was in graduate school, my statistics professor repeatedly told the class: "People are notoriously bad at assessing risk." The COVID-19 pandemic is an excellent opportunity to understand this point in the context of current events.

As of late-May, the number of people killed by the coronavirus in the US stood at around 100,000. Let's assume that these deaths occurred over a two-month period (April through May). Based on that assumption, we can extrapolate out that the number of deaths on an annualized basis will be around 600,000 people.

Of course, 600,000 is a very conservative estimate, as it may very well be that the pandemic has already peaked in the US and the rate of new deaths will decline sharply. One corona model predicts the number of deaths through early August at 143,360. If we extrapolate that out, we arrive at an annualized death total of about 300,000. Half of the death toll we get to by extrapolating out two months' worth of data.

For comparison, let's take a look at the leading causes of death in the US, along with the number of people killed, per the CDC:

● Heart disease: 647,457
● Cancer: 599,108
● Accidents (unintentional injuries): 169,936
● Chronic lower respiratory diseases: 160,201
● Stroke (cerebrovascular diseases): 146,383
● Alzheimer's disease: 121,404
● Diabetes: 83,564
● Influenza and pneumonia: 55,672
● Nephritis, nephrotic syndrome, and nephrosis: 50,633
● Intentional self-harm (suicide): 47,173

COVID may end up somewhere in the middle of that chart, though time will tell. But despite what the numbers indicate, chances are that the number of people that are afraid to go to Ikea right now due to COVID-19 is far greater than the number of people that are afraid to eat unhealthy foods and skip their workout, even though that is statistically far deadlier.

Looking beyond the current pandemic, we can easily find additional examples of how people struggle to properly assess risk. If you're like me, you've met people who are afraid to fly. Yet I don't believe I've ever met anyone who is afraid to ride in a car.

Is that rational? Let's take a look at the numbers: An average of 102 people per day died (37,461 per year) in car accidents in 2016. On the other hand, 393 people died in civil aviation accidents in 2018.

Despite these numbers, some people are afraid to fly on planes, while those very same people may have no problem driving, often recklessly or while distracted or drowsy. This is the case even though your chance of dying in a plane crash is 95 times less than your chance of dying in a car accident!

I could go on, but I believe you understand my point. You might be asking yourself what this has to do with information security. That is a fair question. The coronavirus pandemic gives us a unique opportunity to learn an important security lesson: as people, we are bad at assessing and understanding risk. If we struggle with it in the kinetic world, what makes us so convinced we will succeed at it in the security realm?

This is an important mindset to have when working to assess, monitor, manage, and mitigate risk in your organization. In this spirit, I've identified five strategies to keep security professionals objective and honest when it comes to risk:

Show me the money: When it comes to risk, we need to start by looking at what threats the business face and what is their potential damage from these threats. This generally comes down to money. The type of statements we should be looking to build are: If threat X happens, it will cost Y in damage. That allows us to objectively quantify the potential damage from each threat. That's the first step in seeking to overcome our irrational human nature when it comes to risk assessment.

Model: Once damage has been quantified, models can be developed to assess and quantify risk. This, in turn, allows us to prioritize our resources. Models allow us to understand the potential impact different threats have on the business, as well as how different variables and conditions may affect that risk. Models are very useful as the threat landscape changes. In particular, when a high-publicity threat comes along, models allow us to tune out the noise and hype in order to focus far more objectively on risk.

Measure: When looking to monitor risk, metrics are extremely important. For each key risk, metrics should be developed to keep a close watch on that risk. Ensure that each metric is objective, relevant, and provides an accurate measure of the risk it is designed against. Group or aggregate metrics into families that allow you to monitor different classes or families of risks. Make sure that your metrics are designed in a modular way, such that they can be rolled-up in a variety of ways for different audiences.

Use math: Math is nothing to be afraid of when it comes to security. In fact, it can be our best friend when looking to manage risk. Develop objective ranges for your metrics. Score metrics regularly against these ranges. When certain risks begin to get too far out of range, look to mitigate them.

Report: No matter how objective and accurate your risk practice is, you'll need something to keep you honest. Report regularly and objectively to several different audiences to ensure that you have an accurate read on the risk picture, as well as the appropriate input from stakeholders. This ensures that you won't let your human subjectivity creep into your risk management practice.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...