[BreachExchange] IoT, Cyber Security, and the Probability Challenge

[Audrey McNeil]

https://dzone.com/articles/iot-cyber-security-and-the-probability-challenge

It's summertime. The sun is shining. A warm breeze is blowing. And you're
about to dive into a big bowl of ripe, red strawberries. You can picture
it, right?

Now try to picture a million strawberries. Or how about a billion. Not as
easy, is it? Whether a million or a billion, that many strawberries start
to mesh together and look the same. That's because humans weren't designed
to visualize those kinds of whopping numbers. In fact, an old joke among
cognitive scientists says that we humans count like this: “One, two, three,
many.”

As it turns out, because humans are cognitively challenged at counting
large numbers, we’re also not so good at probability analysis. Absent
real-world metrics, can we really conceptualize the difference between one
in a million versus one in a billion? If your answer is, “Of course we
can,” then think again about visualizing the difference between a million
strawberries and a billion strawberries. For us humans, large probabilities
become fuzzy very quickly.

Yet executives and cyber practitioners are tasked with making security
decisions where the probability of occurrence is the key variable in both
the amount of investment and concern.

Looking at a real-world example, let’s say there is a one in 100 million
chance that a particular piece of industrial equipment will be attacked. If
a factory has 100,000 pieces of equipment, does that mean, by
extrapolation, that there is a one in 1,000 chance that at least one of
those pieces will be attacked? What if the probability analysis is off by a
factor of 10, or worse, a factor of 100? What if instead of factories, we
start looking at Industrial Internet of Things (IIoT) devices, where there
may be millions deployed? It quickly becomes mind-boggling. With 50 billion
devices expected to be connected to the Industrial Internet by 2020,
assessing risk with large numbers is no longer an academic exercise.

While the probability of attack against industrial environments is an
on-going discussion, what we do know is that operational technology (OT)
and IIoT devices are vulnerable to attack. We also know that nearly 70% of
utility, oil and gas, manufacturing, and energy companies reported at least
one security breach in a 12-month period.

Yet business decision-makers are still finding it difficult to agree on
exactly what the probabilities are.

No doubt, if a power company’s leadership team could walk into a board
meeting and say with certainty that there is a 10% chance that a plant will
be attacked within the year, and that the attack will result in two weeks
of unplanned downtime and loss of human life, the board would say, “Tell us
what’s needed to prevent that from happening.”

But if the same team were to go in and say, “We’re not sure. There’s maybe
a 0.1% chance of something bad happening,” they wouldn’t be making a great
case for investing in security.

Organizations may know who the threat actors are, why they attack, and what
the potential impact of attacks are. But the probability of being attacked,
especially if they’ve never been attacked before can be difficult to grasp.
And therein lies one of the inherent challenges of trying to make a
business case for investing in security.

There is an economic theory around how humans make risk-based decisions
that tells us a lot about cyber security decision-making. In 2002,
psychologist Daniel Kahneman won the Nobel Memorial Prize in Economic
Sciences for his groundbreaking research on the prospect theory that
identified an inherent, genetic behavior in the area of decision-making
under uncertainty. Via a straightforward experiment, he was able to
demonstrate how people make decisions around risk, finding that most are
risk-averse with respect to gains and risk-seeking with respect to losses.

The experiment, which has been replicated many times over with different
demographics and across diverse domains, has always shown extremely close
and regular results. This is how it works:

A room full of people is divided into two groups. The first group is given
this choice: would they rather receive a guaranteed $100 right now? Or
would they prefer to flip a coin and take a 50-50 chance of getting $150 or
winding up with nothing?

The second group is asked to make a different choice: Told that the
government has just introduced a new tax, they are asked to choose to pay
$100 straight away. Or they, too, could flip a coin and take a 50-50 chance
of having to pay $150 or nothing at all.

In group one, approximately 75% of participants will consistently choose to
keep the $100 and not take the chance. In group two, approximately 75% of
participants will decide to take a chance and flip the coin.

As Kahneman has written, “For most people, the fear of losing $100 is more
intense than the hope of gaining $150.”

There has been much analysis around these results. You can change the
terms, the vocabulary, the people, but what Kahneman did, and the reason he
earned the Nobel Prize, was that he showed that humans are willing to
gamble 75% of the time on a potential loss; but also willing to keep a sure
thing 75% of the time.

Kahneman believed the choices had to do with evolutionary biology. If we
think about how cavemen survived, they were likely better off getting a
little bit of food and guaranteeing survival than taking a chance on not
eating anything at all. In other words, they were better off chasing a
smaller animal, eating what they could, and only running when a predator or
other risk of danger appeared.

That’s why most of us are willing to flip a coin in terms of how much,
when, and where to invest on cyber security.

If organizations have not experienced a significant attack, it is difficult
to tell them they need to deploy a certain security solution. Even if they
were told, with perfect accuracy, of the probability of an attack, 75% of
the time they would still roll the dice, take a chance, and not purchase
security.

But what if organizations were to begin to think of security in terms of
preserving gains and ways they could instill confidence with their boards
that production and operational processes were working effectively?

Prospect theory suggests that while we may be reluctant to invest in cyber
security to prevent losses from a hypothetical attack that might not
happen, we are much more likely to invest in helping achieve a desired,
positive outcome. By recognizing that a bird in hand is always more
desirable than a 50% chance of two birds in a bush, organizations can now
reframe the cyber investment imperative to one of confidence.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170714/813d69d5/attachment.html>