This post is part of my continuing exploration into the linkages between behavioral economics and information security. I am writing these to force some refinement in my thinking, and hopefully to solicit some ideas from those much smarter than I…
===
In well repeated studies, subjects were asked to estimate the number of homicides in the state of Michigan during the previous year. The response each subject gave varied primarily based on whether the subject recalled that the city of Detroit is in Michigan. If Detroit does not come to mind when answering the question, the reported homicide rate is much lower than when Detroit, and it’s crime problem, comes to mind. This is just one of the many important insights in Daniel Kahneman’s book “Thinking Fast and Slow”. Kahneman refers to this as the “availability bias”. I’ve previously written about the availability bias as it relates to information security, but this post takes a bit different perspective.
The implication of the Michigan homicide question on information security should be clear: our assessments of quantities, such as risks, are strongly influenced by our ability to recall important details that would significantly alter our judgement. This feels obvious and intuitive to discuss in the abstract, however we often do not consider that which we are unaware of. This is Donald Rumsfeld’s “unknown unknowns”.
In the context of information security, we may be deciding whether to accept a risk based on the potential impacts of an issue. Or, we may be deciding how to allocate our security budget next year. If we are unaware that we have the digital equivalent of Detroit residing on our network, we will very likely make a sub-optimal decision.
In practice, I see this most commonly result in problems in the context of accepting risks. Generally, the upside of accepting a risk is prominent in our minds, and the downsides are obtuse, abstract and we often simply don’t have the details needed to fully understand the likelihood, nor the impact, of the risk that we are accepting. We don’t know to think about Detroit.