McAfee senior vice president and CTO, Steve Grobman, took to the virtual stage at RSA Conference on May 18 with a call to action: reconsider the perception of risk by looking at data, not headlines
Grobman claimed that often the information security industry falls into the trap of perceiving risk based on how threats are portrayed in the media.
“A scientific approach is needed to measure risk and help counteract bias,” he said. Grobman used the example of a micromart as a way of doing this. A micromart is a unit of risk defined as one-in-a-million chance of death. “We can use micromort to challenge our intuition on what is actually risky and what isn’t,” he said.
“Many of our perceptions about risk in cyber are miscalibrated… We need to use science based on data to counteract the influence of social and traditional media and raw emotions,” Grobman warned.
“Organizations worry about all sorts of threats. Mass malware we see every hour. Spear-phishing attacks on critical employees we see every day. And the rare national state-directed attacks that have the potential to be devastating.
“One observation is that the frequency of an event is inversely proportionate to its impact.”
The impact of a cyber-event, said Grobman, “has multiple levels of nuance. We need to consider the impact to an organization independently from the global impact.”
He gave the examples of WannaCry and NotPetya, which had catastrophic effects and a global impact on numerous organizations around the world, as they spread fast and were highly disruptive. He also gave the example of other attacks that had a huge impact but only on a solo organization.
“We need to examine the different aspects of the damage that emanates from certain attacks, for example, indirect costs, such as regaining environmental integrity, which can be immense.”
“We need to understand the risk/reward benefits when we choose to engage in high-risk areas,” he continued.
Impact, Scale, Frequency
Grobman suggests a risk model that takes all factors into consideration. “Consider impact, scale and frequency. These are the three vectors that matter,” he explained. “This model is all about risk. Risk is the potential for negative outcome, whereas an event is a historical record of what has occurred. Past events don’t predict future outcomes.”
No tags.
