intuitive risk assessment

Brilliant blog article on risk assessment by Bruce Schneier.

First para:

People have a natural intuition about risk, and in many ways it’s very good. It fails at times due to a variety of cognitive biases, but for normal risks that people regularly encounter, it works surprisingly well: often better than we give it credit for.

That first para reminds me of Malcolm Gladwell’s Blink. In Blink, Gladwell delineates the important role of the adaptive unconscious (intuition) in making instant judgment calls. He also points to situations where such intuitive judgment calls were superior to judgment calls made after weeks of research! Somewhat tangentially, I’ve noticed that it’s become almost politically incorrect to say that one is using intuition, or that one “just has a feeling” about someone, as that person will likely be deemed “prejudiced” or perhaps simply thoughtless for using his “gut” rather than his “reason.” Gladwell, however, points to examples where using one’s intuition led to rueful consequences, and expounds on why one approach is sometimes superior to the other.

Anyway, Schneier goes on to describe attending a security conference, where the speaker bemoaned the fact that employees at his company were not taking security seriously enough (emphasis in second paragraph added by me):

It seems to me that his co-workers understand the risks better than he [the speaker at the conference] does. They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren’t serious.

Given this accurate risk analysis, any rational employee will regularly circumvent security to get his or her job done. That’s what the company rewards, and that’s what the company actually wants.

So, that’s why employees don’t follow security procedures. Solution: fire them, and do so publicly. If following procedure is truly critical, then making an example out of someone is the most efficient way of changing the company culture (thought: make an example out of the guy who wasn’t doing a very good job anyway, just to minimize the impact to the company).



This entry was posted on Sunday, August 9th, 2009 at 2:37 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

Learn More

Related Posts: Security , zero-tolerance rules make zero sense , intuitive risk assessment , evil upgrade demoed via wi-fi , 3 approaches to computer security , assessing the risk of global nuclear annihilation , Linux … in the BIOS , politics, piracy, and corruption , scada (infrastructure system security) totally inadequate … OMG! , BIOS malware in our future , extracting cryptographic keys from memory