Since it is the time of year when students return to school, I figured it was time for me to get back to blogging. I have spent a fair amount of time this summer listening to podcasts, something I had not done much of previously. My musings have been in the areas of social sciences, behavior, consciousness and yes, even a bit of politics, but only as politics relate to the other subjects. I came across a series on NPR called “The Hidden Brain” that I have found interesting. In one episode, I immediately resonated with the subject matter as it translated directly to the IT profession and behavior borne out by statistics. The episode was entitled “The Ostrich Effect” which as one could guess, set out to discuss the underlying behavior of humans who stick their head in the sand and avoid learning information surrounding a potentially negative topic. They noted for example, that people check their stock portfolio more often when the market is good than when it is going down. Repeatedly, research examples of information aversion were explored for topics like healthcare, finance and even politics. Perceived potential for undue stress and fear are cited as the main reason people avoid gaining deeper understanding of a controversial subject. Rational behavior would dictate the opposite approach as one of the podcast participants stated, “A person should never avoid information because information can never hurt a decision.” Subsequent related podcasts I listened to this summer talked about the idea of knowing the information and still choosing the wrong path like when I order the lasagna instead of the salad for lunch. There is some fascinating research being done to try and figure out why we make wrong choices even when we know the right one.
My immediate thought in listening to these discussions was the relevance to our current cybersecurity landscape. I have heard numerous studies cited that describe the state of business cybersecurity readiness as 30% in denial, 30% active and working and the rest aware and partially in the game. That tells me that more than half of our businesses are suffering from some form of the “Ostrich Effect”. A common thread we hear is the lack of understanding of how to even get started and what they will find when they look! Great tools exist for assessment and baselining from Penetration (PEN) tests to phishing analyzers to NIST framework https://www.nist.gov/cyberframework compliance templates. From first-hand experience and discussions with some of our members who have done the up-front analysis, you can expect to fight the after effects of removing your head from the proverbial sand. Most, if not all, assessments will highlight numerous vulnerabilities, point out areas of improvement and set the stage to prioritize that improvement. Some vulnerabilities will be significant and the fact that you were unaware tugs at the egos of executives and staff. This is the crux of getting beyond the ostrich. Our present day cyberwar is no place for emotion. Rational behavior dictates deep knowledge of the subject matter and continuous diligence. Once the assessments and baselining process is complete, one can move to “choosing the salad”. For instance, when you know 80% of breaches are through password hacks, you then choose to implement a password manager instead of keeping 12345.
I do think things are getting better. Maybe the headlines and high profile cases that are forcing the issue so I am pleased with the progress albeit it may not be for the right reason. Fear is a strong motivator but the “Ostrich Effect” research cited above suggests rationality might be a better one.