Unmodified Original Comic : Scott Adams

The operative word in the definition of risk is potential. Potential implies a gradient; shades of grey; a non-binary response. Risk is not absolute. Risk is ambiguous. It’s very easy to be fooled into inappropriately evaluating the level of risk in something because of the natural ambiguity in risk.

Risk is the potential of gaining or losing something of value.

Let’s play a little game. I’ve listed out a handful of interesting statistics. I really don’t know how true these statistics are (I found them randomly on the Internet, so they have to be true.. right?!), but looking through these items, relative to each other, will help to serve my point.

  • Odds of being killed sometime in the next year in any sort of transportation accident: 77 to 1
  • Odds of fatally slipping in bath or shower: 2,232 to 1
  • Odds of getting a hole in one: 5,000 to 1
  • Odds of being murdered: 18,000 to 1
  • Odds of being struck by lightning: 576,000 to 1
  • Dying from being left-handed and using a right-handed product incorrectly. 4,400,000 to 1
  • Being killed by a vending machine. 112,000,000 to 1
  • Chance of dying from a shark attack: 300,000,000 to 1
  • Odds of being killed on a 5-mile bus trip: 500,000,000 to 1

So.. the chances of being struck by lightning are way more than the chances of being killed by a shark or a vending machine. I also have a better chance of getting a hole in one than I do of dying on a 5-mile bus trip. Well, that’s good news for me!

The point here is that if I had presented this list and told you to list the points from highest to lowest odds, you likely would have gotten a good portion of them wrong. Why is that? A good portion of that has to do with cognitive bias in risk perception.

“A cognitive bias is a repeating or basic misstep in thinking, assessing, recollecting, or other cognitive processes. That is, a pattern of deviation from standards in judgment, whereby inferences may be created unreasonably. People create their own “subjective social reality” from their own perceptions, their view of the world may dictate their behavior.” Wikipedia

Cognitive Bias and its Impact on Risk

There are number of cognitive biases ranging from anchoring and attribution bias, to framing and halo effect. The really interesting thing about a cognitive bias is that it’s typically unknown to the person under its effect. One thing that tends to exacerbate bias is a lack of relevant data points that would give the person enough self-awareness to understand that they were under the effect of the bias in the first place.

So what does this have to do with risk and security? To properly estimate risk, one must push to improve visibility into the data surrounding that risk. Gaining additional data points helps to disambiguate the risk level by providing self awareness into biases that may be in place. In other words, you have to enhance your subjective social reality with real data that helps you make decisions.

Sadly, most security teams don’t have a firm grasp on much data around the risk that their environment is undertaking, specifically at the application layer. It’s all too common for enterprises to have focused on finding information within their firewall data, or network log data, but not touching any attack and anomaly related data coming from the application layer that they business runs upon. They simply state things like “we need to protect from SQL injection” while being completely ignorant of the real attacks that are happening against their web property. They have been biased by their environment to believe that SQL injection is the most nefarious of all attack patterns. In many cases they may be right, but in other cases there are a host of data points that could easily disprove this case for any particular enterprise web property.

Acquiring Data is a First Order Goal

Lack of real attack data and metrics is the first issue you must solve when building application security into your production systems. Without application security visibility you will be swayed by cognitive bias and make suboptimal choices about where, when, and how you are protecting your environment. Once you know where you are being attacked (specific pages and code), when you are being attacked, and by whom, you can start to craft a real security program to protect your assets. Without those data points, all that you have is guesswork.

Remember: Risk = Loss * Probability. If you are guessing at the probability of an attack you are guessing at your level of risk. Put technologies in place that give you visibility into actually probability of attack and you can significantly improve your risk assessment capabilities.

Thanks for reading. If you liked this article, will you share it?

If you are doing security in a DevOps environment, I would like to share this resource with you: The Roadmap for DevOps and Security. The book outlines the 4 key areas Security can provide value in a DevOps organization. We have a copy of it for free for you.

At Signal Sciences we provide a modern approach to application security and web application firewalls that DevOps shops love.