Selfies, Sharks and the Psychology of Risk Management
Selfies kill more people than sharks. This fact doesn’t make sense. Sharks are terrifying. The current generation of CISOs were raised on the Jaws movies. Think of death by shark and a number of images immediately spring to mind. Images with teeth. Do the same with death by selfie, and the thoughts are fuzzier. This difference in our ability to imagine the danger, known as salience bias, is but one example of how we don’t handle risk well. When security leaders seek support for controls, our human nature can become a stumbling block.
In the early days of security, we had a problem. We knew there were technology changes to be made. We knew there were technology investments to be made. And so, we described these in very technical ways when advocating for our security programs with management. Blank stares were too often the result. Other business teams were getting funding by talking about business risk. In a bolt of obvious inspiration, security switched to talking about risk. Today, most every change and investment is anchored in IT risk management.
But today we have a new problem. People aren’t all that good at making risk-based decisions. To start with, people push back from uncertainty, and risk management is fundamentally about presenting two or more uncertain options to get one selected and funded. Then there are a host of cognitive biases that muddy up risk-based decisions. How was the business case framed? How was the supporting data delivered? People often weigh the first pieces of data more heavily. And that’s assuming we have good data. With security breaches being infrequent but high impact events, even finding relevant statistics is a challenge. The result is business cases which are ignored, shelved or deprioritized.
A different approach to building a business case is to focus on the value side of the equation. People don’t swim with sharks because they are concerned about the downside. People do take selfies because they are focused on the benefits. Namely, fun. Applied to business cases, the least appealing security control is one that protects us from being eaten. There must be some benefit beyond simple protection to make a strong case for a control. This often comes down to providing a better experience for people. Our industry hasn’t functioned in this way so finding examples here is tricky.
But here are some common ones:
Fewer passwords to remember with password managers
Simplified logins with Single Sign-On (SSO)
Less steps by removing the need to VPN in
Security tools may never be as fun as capturing the right selfie. And CISOs unveiling their new business case may never have the pizzazz of Steve Jobs unveiling an iPhone. But it is important to move in that direction. Yes, certainly use risk management to identify the right problems to solve. Use risk management to weigh the pros and cons of potential solutions. From there, however, it is about providing value to the organization and people. Make it simple. Make it appealing. In doing so, take security beyond shark repellent.