Last night I stumbled across a documentary on BBC2 (content only available to UK residents – sorry!) about the human brain. One section talked about how the brain perceived risk issues – obviously an interesting topic for security folk!
A test subject was placed into a brain scanner and asked to estimate the likelihood of 80 different negative events occurring to him in the future – from developing cancer, to his house being burgled, to breaking a leg etc. Once he had stated his opinion, the real likelihood was then displayed to him.
At the end of the 80 events, the process resets and the subject is presented with the same events and asked to, once again, state his perceived likelihood, although this time with some knowledge of the actual answers.
The results are surprising.
Where his initial response had been too pessimistic, the test subject adjusted his perception to align with the actual likelihood. However, where he had initially been too optimistic, his opinion remain largely unchanged by the facts! It was apparent that the brain proactively maintained a ‘rose-tinted’ view of the risks, accommodating a more optimistic view but shunning anything more negative.
The scientists argued that this was the brain did this for two main reasons
1 – To minimise stress and anxiety, for the resultant health benefits; and
2 – Because an optimistic outlook helps drive success, support ambition and keep humanity striving for a better future.
The new revolution in apps and social media continues at a stunning rate. Nearly every day a colleague tells me of another app or site that is bubbling up and about to hit the big time. Many will not break through, but some will capture the imagination and become the next generation of YouTube and Facebook.
The behaviour of certain apps/sites, however, gives me some cause for concern. As a recent entrant to Pinterest, I was alarmed to note that the site takes a copy of the pinned image and serves that from its own servers. The burden of managing copyright issues seems to sit firmly with the users, most of whom never give such legislation a second thought. There is a method for removing content however, unsurprisingly, it’s not half as simple as pinning new content. Pinterest’s terms and conditions are also interesting, giving it “irrevocable, perpetual, royalty-free” permission to “exploit” member content.
The Pinterest site is building its value on other people’s content — which is fine as long as those people have consented. I recently looked at some interesting Infographics pinned on the site, all of which must have taken considerable resources to put together, yet I never once needed to visit the source site, which may have perhaps triggered advertising income vital to enabling them to continue their work. I wonder if they even realize their content is available in this way?
Last night I attended a vendor presentation about cloud-based risk and the threat from nation state attacks. Unfortunately, due to a busy schedule and a difficult journey, I arrived just as the final presentation moved to its Q&A stage. Listening to a Q&A session when I had no idea what the content of the presentation had been was actually quite an interesting experience, unfortunately not for all the best reasons. A section of the audience immediately dived into the detail and tried to find fault with the solutions that had evidently been outlined. They poked and prodded the presenter until she admitted that no solution was 100% and, yes, there were ways to mount a successful attack even with her recommendations in place. At that point, the questioners sat back in their seats, triumphant – they had won. There seemed little interest in continuing the conversation to figure out ways to minimize the remaining risk, and their body language suggested that they had mentally discounted everything that had been said.
I was a little disappointed by this. Some S&R pros seem to treat information security as an academic exercise, a challenge where the best argument wins and security is a mere footnote. These folk are often also the ones who overreact to very complex, and very unlikely, technical threat scenarios while overlooking behaviors and processes that may be fundamentally flawed. They appear unhappy with any security solution that isn’t perfect. I had hoped that we all recognized that good security was not about hitting a home-run; it’s much more about applying the 80/20 rule over and over again, iteratively reducing the risk to the organization.