The Security of Fools

No, I’m NOT saying that security professionals are fools … far from it. But many of the folks whom they serve may well be overconfident in their judgments about security. Overconfidence in the face of undisputable evidence to the contrary is described in Daniel Kahneman’s article “The Surety of Fools” in the October 23, 2011 edition of The New York Times Magazine.

Such an attitude of overconfidence goes a long way in explaining why too little is spent on information security, why so many security expenditures are of the wrong type, and why it always seems to come as a surprise when a breach occurs.

Kahneman describes how, even when confronted with the fact that their predictions were little better than random guesses, evaluators “continued to feel and act as if each particular prediction was valid.” Such confidence prevails among managerial decision-makers when they are considering cybersecurity-related risks. They ask why they should invest in protecting against incidents that may never happen. They question how investments in security can be justified when the expected losses are so small. Perhaps that is why it is usually only when lawmakers and regulators up the ante with respect to the costs and consequences of breaches that significant action is taken.

Also, Kahneman believes that “people who face a difficult question often answer an easier [question] instead, without realizing it.” This would appear to apply to security professionals who respond with a list of all the good security measures in place when they are asked by the CEO: “Are we secure?” This latter question is, of course, impossible to answer, but that doesn’t stop executives from asking it.

Post a Comment

Your email is never published nor shared. Required fields are marked *