Misconception No.5: The "Recency" Trap

By Ed Adams

(Back to article)

We’ve heard about the Ernst and Young employee leaving a laptop on a bus. ING had sensitive data on a laptop that was stolen. Events like these cause an interesting psychological phenomenon I refer to as “The Recency Trap” — changing your habits based on perceived risks caused by recent events.

View the Entire Series

The Five Most Common Misconceptions of Enterprise Security

Misconception No.1: Over-Relying on Network Defenses

Misconception No. 2: Believing the Hype of Technology and Tools

Misconception No.3: Too Many People Assumptions

Misconception No.4: Assuming Secure Software is Costly

Misconception No.5: The “Recency” Trap

If you want to comment on these or any other articles you see on CIO Update, we'd like to hear from you in our IT Management Forum. Thanks for reading.

- Allen Bernard, Managing Editor.

FREE IT Management Newsletters

The mistake organizations make here is overreacting to perceived threats, which in turn allows for more real or serious threats to go unattended.

A Sense of Falling

When high-profile cases like E&Y, ING, and, more recently, the VA hit the public conscience, organizations tend to react by making adjustments in their security spend. These incidents of lost laptops or data tapes led to organizations rolling out new policies to encrypt all data on laptops and in databases.

Not to say that laptop and database encryption is a bad policy, per se, but you have to understand it only mitigates the risk of physical theft of the computer or database. Further, it does not protect the organization from risks such as hacking, malicious code, bots, worms, Trojans, insider crime, un-authorized workers who steal proper authorization, criminal third parties, etc. And this all assumes encryption was implemented correctly and the organization provided ample training for their teams — which almost never happens.

The driver for the new policy was a perceived new or heightened threat. This is psychology is a dangerous trap.

The same thing happens in the non-IT world, too. In 1967 Sweden changed from driving on the left side of the road to driving on the right. What happened? In the 12 months following, auto fatalities dropped by 35%. Was the right side of the road safer? Was there a major advancement in automobile safety in Sweden in 1967? No.

There was simply a change in rules and as a result people felt more at risk due to the recent “incident.” The sad part is that 12-months later, auto fatalities were exactly where they were pre-1967. People “forgot” they were at risk and adjusted behavior once again.

Rising to the Occasion

When asked to qualify why you’re seeking security budget dollars, ask yourself whether the amount of spending is absolutely critical or if you’re just doing it to cover your butt. CISOs (chief information security officers) and CIOs are frequently in the position of having to justify security spend. If the drivers are eerily similar to the ones mentioned above, consider the reasons carefully before asking for those dollars.

Perhaps you’re even asked to implement a certain security solution because your board recently became aware of a security incident in a similar type of organization and they’re fearful the same might happen at your organization. While you’re asking yourself questions, ask this one, too: “If I alone had the ability to decide where and how to spend security budget, and I could only choose one place, where would I spend it?”

Often the answer is different than where your board might choose. Forcing the issue can make you a voice of reason in a world of security FUD (fear, uncertainty and doubt).

PCI in Question

The Recency Trap has even bitten compliance regulations like PCI. In my opinion, the PCI DSS (payment card industry data security standard) is one of the best efforts put forth to date to secure a company’s information systems. It isn’t perfect, but it is highly prescriptive and provides very clear guidelines on what to do (and not do) to provide a more secure computing environment when handling credit card data.

With the recent data security breaches at TJX and Stop & Shop, PCI has come under fire. After all, if both of these companies were PCI compliant, how could they have been breached so easily? There are two things to remember here:

  • Compliance does NOT equal security; and
  • The Stop & Shop breach was a carefully planned and well orchestrated attack, specifically targeted at their point-of-sale card swiping kiosks. It was anything but an easy attack.
  • The fact that the PCI standards council is coming under fire because of these attacks is a shame, and it shows again that The Recency Trap is a powerful psychological gripper.

    When people feel threatened, they want to point fingers. It’s only human to want to identify someone or something to blame for your feelings of insecurity. Unfortunately, this often drives us to make knee-jerk reactions and poorly-considered decision.

    PCI is not to blame here. In one incident it was very savvy criminals and in the other it was an organization that hid bad policies and mismanaged their applications and data.

    Falling into The Recency Trap is dangerous, but, being human, we’re all prone to the psychology. One tactic to beat the pitfalls of this psychology is threat modeling.

    Threat modeling is an important activity for risk management. It helps you identify which assets (or liabilities, as I prefer) are susceptible to particular threats. The basic concept is you define a set of possible attacks and negative scenarios to consider and then you assess the probability, potential harm, priority, and business impact of each threat.

    From this point, you can define measures that can minimize or mitigate the threats, which in turn help you make investment decisions. Threat modeling also helps prevent you from making rash decisions because you’ve got a tangible and persistent model to refer to when asked about a specific threat. In the absence of threat modeling, you are more at risk for psychological over-reaction.

    When you develop a threat model it also becomes a sustainable asset. If a new vulnerability or a new threat is detected, you can reuse your threat model to determine whether or not you are at state of heightened risk, decreased risk, or neutral.

    A basic tenet of threat modeling is threats are realized through scenarios that can be exploited via vulnerabilities; if not mitigated with appropriate countermeasures. But you’ll never know which countermeasures are best for you if you don’t analyze the system first.

    Click below for Ed's other four articles on this topic: Over-relying on Network Defenses, Believing the Hype of Technology/Tools, Too Many People Assumptions, Assuming Secure Software is Costly, and Falling into the “Recency” Trap.

    Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.