Applied Risk Appetite

“There is a certain uselessness in saying an organization does not want to accept high risk.”

My latest @ISACA article was published and as I was re-reading this line it resonated with me even more. You have to have more fidelity in how you define risk appetite for it to be useful. More tips on how to do that in the full article here.

Using Economics to Diagnose Security Model Failure

asymmetryMany information security practitioners labor daily to increase security for the organizations in which they work. The task itself seems beset with obstacles. On the one hand, there is the need to acquire security funding from executives that are distracted from security by the sturm und drang of the daily operation of the business, tempered by the need to embed long-term strategy in the hearts and minds of its employees. On the other hand is the near-daily obliviousness of the employees they are instructed to protect. They deal with too many clicks on too many phishing emails, accidentally unencrypted emails with government identification numbers attached, and the ever-present push to increase security awareness amongst a group that, at best recognizes that security has something to do with firewalls and at worst, gets in the way of the business generating the revenue its tasked with acquiring. While such a scenario may seem hopeless, it is perhaps better viewed through the lens of economics. Information security economics drive behaviors, decisions, and attitudes concerning the state of security in an organization.

In the dynamic of internal political battles over security funding as well as operations, it’s easy to overlook the other forces at play. Through the lens of economics, we can reveal additional levers that contribute to the decision-making criteria. One of these is the pervasiveness of asymmetric information. For the average consumer, making decisions that increase security is often very difficult, as they lack two things that can assist them in good decision-making. The first is the domain knowledge necessary to understand what good security looks like. The dynamic between the evolution of controls and the nature and skillsets of attackers appears to shifts daily. It requires nothing less than full time devotion to understand these environmental elements in order to make a fully informed decision, which is clearly more than the average consumer has time to devote. The second is the lack of ability to directly observe the environments they are trying to measure. Because they aren’t employed in the security function of the organizations who are offering them security, they are necessarily withheld clandestine information about said security. Information that is vital in coming to an optimal resolution on the state of security for an organization. Often consumers are left to more readily available, yet misleading, indicators of security. These secondary and tertiary, often latent, factors are more difficult from which to correctly derive an accurate measure of security.

An example of this battle of indirectly observable economic factors plays out in the world of financial services and banking. The average consumer may be notified by a bank that their information was in scope of a recent security breach. Such breach notification letters connote action yet offer assurance that any damages the customer may incur will be handled by an insurance provider. What is the customer to do? Should they follow the advice of the letter, that is, do not take action, just monitor their accounts for fraud and rest assured that the firm whom just lost their data will handle things, or should they move their accounts to another provider? Each customer has their own calculus for how to make these decisions. Some will accept the premise of the letter with an uneasy feeling, yet others will stand on moral outrage and move their financial accounts to another provider. Each decision is not without its drawbacks, however. In the former, the customer has to have assessed that while security failed once, it likely won’t again and that if it did fail, the coverage offered will be necessary to offset any damages incurred. Note that in this option, the customer is forced to assess risk (frequency of loss as well as its impact). The latter scenario offers us another unique option. First, the customer has to assess that whatever the damages they have yet to incur, it is greater than the costs of switching accounts, which is not negligible. One must account for the time spent locating new providers and financial advisors, modifying automatic drafts and direct deposits, opening new accounts, and signing paperwork. This time is not trivial and says nothing of the most important factor in making this switch: is the firm that you are moving to more secure than the former? In truth, the average consumer will not know. They may choose a company that was not recently in the news for such problems (relying on secondarily observable, yet still latent, measures of security), but that does not mean that problems have existed in the past or will exist again. Indeed, the security of the new firm is just as opaque as the one the consumer just left. While switching may satiate their moral outrage, in truth it does nothing to aid them in increasing the security of their accounts.

This is but a brief analysis of the role that economics plays in describing the behaviors, decisions, and attitudes of consumers and their security choices. However, it does help to better ascribe actions of large groups of people. For instance, it shows why most consumers won’t switch their business to another financial provider following a breach (repeat offenders, and especially those with failures in quick succession excluded). One may call this kind of behavior irrational, and indeed, many in the security community do just that by predicting wave after wave of defecting customers in a catastrophically spiraling disaster of attrition. Instead, what we see is in direct opposition to what was predicted. It can be said that when such a conflict exists between reality and a model, reality wins. Economic principles, as applied to information security, can help explain why one model has failed, and why another model might be more correct.

Knuckle Busters

Where I live, we have been experiencing a lot of severe weather and with it, power outages. Its always fascinating to students of risk to watch how organizations behave in these scenarios. Especially interesting are how retail establishments deal with payment issues.

I entered an office supply store the other day to purchase some equipment I needed. Its important to note that there were NO power outages this day. As I entered, I was told that they were unable to accept credit cards and could only take cash. Immediately, I asked why they don’t just use the “knuckle busters” to imprint the cards. They said they couldn’t do authorization. I gestured as if turning over the imaginary credit card in my hand and told them to call the number of the back. They repeated their lines and added that it was “company-wide.” I realized I wasn’t going to get through to them (nor could they make such decisions at the store level anyways), so I left to go to another store to purchase my wares.

We live in society that is increasingly going without cash. The latest IEEE Spectrum magazine spent an entire issue discussing the move to a cashless society. Its for this reason that not being able to accept payment cards during an outage seems entirely unreasonable. In fact, given the proliferation of cards and dearth of cash, one might not say “accept payment cards” and just say “accept payment.” Especially at the establishment I was at where most transactions wouldn’t be completed with the change and few bills I had on me.

So why then do so many places not have backup payment using a knuckle buster?

It’s likely just lack of planning, but lets assume a risk-based decision making model. We own the store and probably have numbers on how many transaction we do on a given day and for how much. If we add some information about how often the power/server/etc. goes out, we can come to an average amount of money that we think we would loose not accepting credit cards during an outage. But don’t stop there: we also have to work on the threat side as well. Consider how many people we think are going to defraud us during this time. It would seem to me (but I’m willing to be wrong) that there are not “knuckle buster” fraud rings waiting for outages to swoop in and buy up lots of office supplies with fraudulent credit cards that can’t be authorized in real-time.

A risk-based appraoch would establish some ceiling amount – say $250 – that the company was willing to accept card imprints for and move you on your way. After that, they’d have someone call the number to verify funds (during my visit the store was full of bored employees pushing brooms that could have esaily picked up a phone to call in the authoriztion for any amount, but I digress). I know that a well-known fast food restaurant that you’ve likely eaten at established a threshold for payment card transactions under which they don’t worry about online authorization. During the lunch rush, they try for online auth at all times, but if they don’t get it in a time they set, they don’t worry about it. Take your #5 and move on, we’ll deal with it later. And if you defrauded them, they agreed to eat cost (pun intended). This always seemed like a very reasonable approach to me and shows that they understand they stand to gain much more from a faster line, than from strict adherence to online authorization.

So about those storms and power outages? I bought a whole-house generator about 5 years ago. That tells you a little about our risk tolerance I guess :-)