Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Risk Assessment & the Human Condition

Five lessons the coronavirus pandemic can teach security professionals to better assess, monitor, manage, and mitigate organizational risk.

When I was in graduate school, my statistics professor repeatedly told the class: "People are notoriously bad at assessing risk." The COVID-19 pandemic is an excellent opportunity to understand this point in the context of current events.

As of late-May, the number of people killed by the coronavirus in the US stood at around 100,000. Let's assume that these deaths occurred over a two-month period (April through May). Based on that assumption, we can extrapolate out that the number of deaths on an annualized basis will be around 600,000 people.

Of course, 600,000 is a very conservative estimate, as it may very well be that the pandemic has already peaked in the US and the rate of new deaths will decline sharply. One corona model predicts the number of deaths through early August at 143,360. If we extrapolate that out, we arrive at an annualized death total of about 300,000. Half of the death toll we get to by extrapolating out two months' worth of data.

For comparison, let's take a look at the leading causes of death in the US, along with the number of people killed, per the CDC:

● Heart disease: 647,457
● Cancer: 599,108
● Accidents (unintentional injuries): 169,936
● Chronic lower respiratory diseases: 160,201
● Stroke (cerebrovascular diseases): 146,383
● Alzheimer's disease: 121,404
● Diabetes: 83,564
● Influenza and pneumonia: 55,672
● Nephritis, nephrotic syndrome, and nephrosis: 50,633
● Intentional self-harm (suicide): 47,173

COVID may end up somewhere in the middle of that chart, though time will tell. But despite what the numbers indicate, chances are that the number of people that are afraid to go to Ikea right now due to COVID-19 is far greater than the number of people that are afraid to eat unhealthy foods and skip their workout, even though that is statistically far deadlier.

Looking beyond the current pandemic, we can easily find additional examples of how people struggle to properly assess risk. If you're like me, you've met people who are afraid to fly. Yet I don't believe I've ever met anyone who is afraid to ride in a car.

Is that rational? Let's take a look at the numbers: An average of 102 people per day died (37,461 per year) in car accidents in 2016. On the other hand, 393 people died in civil aviation accidents in 2018.

Despite these numbers, some people are afraid to fly on planes, while those very same people may have no problem driving, often recklessly or while distracted or drowsy. This is the case even though your chance of dying in a plane crash is 95 times less than your chance of dying in a car accident!

I could go on, but I believe you understand my point. You might be asking yourself what this has to do with information security. That is a fair question. The coronavirus pandemic gives us a unique opportunity to learn an important security lesson: as people, we are bad at assessing and understanding risk. If we struggle with it in the kinetic world, what makes us so convinced we will succeed at it in the security realm?

This is an important mindset to have when working to assess, monitor, manage, and mitigate risk in your organization. In this spirit, I've identified five strategies to keep security professionals objective and honest when it comes to risk:

Show me the money: When it comes to risk, we need to start by looking at what threats the business face and what is their potential damage from these threats. This generally comes down to money. The type of statements we should be looking to build are: If threat X happens, it will cost Y in damage. That allows us to objectively quantify the potential damage from each threat. That's the first step in seeking to overcome our irrational human nature when it comes to risk assessment.

Model: Once damage has been quantified, models can be developed to assess and quantify risk. This, in turn, allows us to prioritize our resources. Models allow us to understand the potential impact different threats have on the business, as well as how different variables and conditions may affect that risk. Models are very useful as the threat landscape changes. In particular, when a high-publicity threat comes along, models allow us to tune out the noise and hype in order to focus far more objectively on risk.

Measure: When looking to monitor risk, metrics are extremely important. For each key risk, metrics should be developed to keep a close watch on that risk. Ensure that each metric is objective, relevant, and provides an accurate measure of the risk it is designed against. Group or aggregate metrics into families that allow you to monitor different classes or families of risks. Make sure that your metrics are designed in a modular way, such that they can be rolled-up in a variety of ways for different audiences.

Use math: Math is nothing to be afraid of when it comes to security. In fact, it can be our best friend when looking to manage risk. Develop objective ranges for your metrics. Score metrics regularly against these ranges. When certain risks begin to get too far out of range, look to mitigate them.

Report: No matter how objective and accurate your risk practice is, you'll need something to keep you honest. Report regularly and objectively to several different audiences to ensure that you have an accurate read on the risk picture, as well as the appropriate input from stakeholders. This ensures that you won't let your human subjectivity creep into your risk management practice.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.