People, it turns out, are really bad at dealing with uncertainty and randomness. We are pre-programmed to see direct causes between independent factors and to treat direct links as unrelated or random. Likelihood, causation, and randomness are fundamental to IT security, and humans having blind spots in these areas are but one reason why we aren’t better at IT Security.
For a jaw-dropping read on these blind spots, read "The Drunkard’s Walk: How Randomness Rules Our Lives", where Leonard Mlodinow shows through example and history how likely we are to take the wrong action dependent on the degree of uncertainty, and how we usually draw the wrong conclusions in response to false positives, regression to the mean, and ‘recency’ of bad events.
Think you’re immune? Quick – tell me what the odds are of one of a set of twins being a girl. If you answered anything other than 75% you have passed the Turing test and are a flawed human (and then go on to wrestle with knowing that the odds of one of them being a boy is also 75%…).
Security budgets cannot continue to outpace IT spending indefinitely at the rate have through this recession. Enterprise security budgets are limited, and tradeoffs mean making the right choices based on what is best for your company. These choices have to be made with a great degree of uncertainty and having to defend them to people who are by nature are not good at dealing with uncertainty and handling the random.
4 responses so far ↓
1 Twitter Trackbacks for The Importance of Uncertainty [gartner.com] on Topsy.com // Aug 31, 2009 at 5:31 pm
[...] The Importance of Uncertainty blogs.gartner.com/greg_young/2009/08/31/the-importance-of-uncertainty – view page – cached [...]
2 Stiennon // Aug 31, 2009 at 11:36 pm
Cute. g-g, g-b, b-g, b-b. 3/4 include a girl, 3/4 include a boy.
Can’t continue to rise you say? What if the threat rises? I think a good assumption is that security spending rises in some relation to threats. Compliance is always a driver but somewhat discretionary. After all the PCI police are not very diligent. Let alone the COBIT or ITIL enforcement agencies.
So what percent of spending on home improvements is security related? In Ottawa or Birmingham, Michigan it is pretty small. I replaced a lock set when we bought our house. ($26 out of umpty gagillion spent on paint and blinds). Yet in parts of Johannesburg, South Africa, people need to maintain ten foot walls topped by razor wire around their community, ten foot fences around their houses, and rape gates at the top of the stairs.
What happens if cyber criminals, terrorists, and nation states actually start attacking the enterprise? What will security spending look like then? A lot more than is spent on patch management and AV today.
3 Greg Young // Sep 1, 2009 at 12:18 am
No sir – I said “Security budgets cannot continue to outpace IT spending indefinitely”. Like the bad models for housing prices, the assumption that security spending can continue until it consumes 100% of IT spending is .. flawed.
4 Ant // Sep 1, 2009 at 5:01 am
OK, you had me for a moment there, Greg.
The answer was obviously 50%.
The chance of any child being a girl is 50% (plus or minus some small demographic deviation), so the chance of any child who happens to be one of twins being a girl is 50%. Thus, the chance of one *particular* child of a set of twins (firstborn, second-born) being a girl is 50%.
As is the chance of *only* one of a set of twins being a girl.
But, what you were asking was, what is the chance of *at least* one of a set of twins being a girl? Which is, as Richard illustrates, 75%.
But that’s not the way I’d initially read what you wrote.
This illustrates another reason why we’re not better at security: We don’t always ask precisely the right questions. Attackers exploit ambiguities!
— Ant
Leave a Comment