How to make better decisions in information security
If you had unlimited resources (money, people, time) to fix security in your organization, what would you address? (in order of priority)
This is a question I often ask people at the end of interviews during my assessments.
People often have a list of things they want fixed. The problem is choosing which of those things to fix.
Two problems exist in security:
Organizations that don’t know their unknown unknowns
Organizations those that do know, but are under-resourced.
Choice Overload In Security
For today, I will be focusing on organizations that know about security issues that exist in their organization.
Let’s step back for a second though and go over choice.
Here are some statistics:
The average American makes up to 70 choices per day
Average CEO is engaged in 139 tasks with many sub-choices
50% of decisions made by those CEO were made in nine minutes or less. Only 12% were made in a hour or more of their time
Many organizations that choose to understand more about their security posture are often not prepared for the deluge of information and decisions that are heading towards them.
What often ends up happening is that High and Critical items get addressed, but Medium and Low items often do not.
What is sometimes under appreciated by organizations is how medium and low risk vulnerabilities can be utilized in secondary attacks or combined together resulting in a high or critical vulnerability.
Why is it hard to do security, when we have all the information?
According to Sheena Iyengar, there are four steps to take to make better decisions
Condition for Complexity
Let’s go over these and how they can apply in Information Security.
Choosing Security: Cut
We all know that “Less is More”. In this sense, we don’t want to drop or hide vulnerabilities, but what we should do is help distill the items to our audience. For example, infrastructure security issues can go to the infra team, appsec issues (per app) should go to the particular team.
In Information Security, we are generally doing a good job here with dashboards, executive summaries, and etc.
Where it becomes a problem, especially for those who security is not their primary role, is the number of choices for solutions! Helping distill the number of solutions and even better the top recommended solution would help with choice overload.
Another tool would be to establish SLA’s. If an engineer knows they have 60 days to fix a medium severity issues, it can help make their decision easier.
Choosing Security: Context Is Everything
Concretization help provide additional context behind the choice.
For example which one do you think will get more immediate attention for a VP of Engineering:
There is a XSS issue found in your web application and it needs to be fixed. It’s marked as High.
There is a XSS issue found in your web application that could cause takeover of your admin portal. The difficulty in exploiting this vulnerability is low, especially compared with other XSS categories.
Did you choose #2?
Notice I didn’t even mark it as “High” in the second example. I always would of course, but I wanted to illustrate it for you a little more.
Choosing Security: Categorization
Our brains are smart machines, we just need to feed them the right input. For example, we can handle more categories than we can handle choices.
A typical security report would have 5 severity categories
Informational is always kind of an annoying category personally. I’m giving information to the business, but telling them they don’t need to do anything with that information. It’s a struggle I’m sure other practitioners face.
What many organizations have done is add additional data to their findings. These include:
Choosing Security: Condition for Complexity
Just like exercise, or any challenge for that matter, we need to condition ourselves for the task. If you were to try to run a marathon tomorrow without any experience, you would not do well, to put it lightly.
The same for handling complex information. We need to be conditioned for ingesting and making decisions on this information.
This is where security professionals shine. We have tons of contextual information from our experience, current news, and talking to colleagues to help us distill and ingest this information easily.
For those outside the security industry, it may take some time and brain allocation, to ramp up, but I have seen many succeed. Whether they want to dedicate brain power and time to this, or relegate this to an Information Security professional is another matter, but a decision that needs to be made.
Conclusion: Choosing Insecurity or Security
Everyday we have choice to make in security.
We can choose to:
Fix a vulnerability
Accept the risk of a vulnerability
Doing nothing is clearly a very risky proposal and choice.
However, as security professionals or those involved in security we need to present the information in an actionable and digestible way (an age old problem) and we need to inform or be informed of context and additional information.
For more in-depth information on the psychology of choice: