Recently, I read a book called Everything is Obvious (Once You Know the Answer) by Duncan Watts. It is one of those books that changed how I thought about everything, including cybersecurity. Watts is a trained physicist but holds teaching positions in the social sciences, where he tries to bring the rigor of the empirical sciences to his teaching. Watts’ book examines our understanding of the world through the lens of common sense, challenging binary thinking and emphasizing thoughtful contemplation over impulsive reactions. The question is: How does this concept relate to cybersecurity?
To answer this, we need to delve into the core principles of both fields. The basic foundation of cybersecurity is similar to that of information systems, which concerns itself with the interactions of people, processes, hardware, and software (a definition you have likely heard before). As a result, we borrow plenty from the social sciences in terms of how to motivate and incentivize certain behaviors at the expense of others.
Cyberrisk management is a thoughtful discipline that considers why bad things happen and how to change the outcomes. This means that we, as professionals in the field, have to build a model of reality, simulate different parameters, and recommend the best course of action (risk management is a form of decision science). Daniel Kahneman elaborates on how we build these models using either instinctive (innate) or analytical (logical) thinking. Likewise, Duncan Watts explores the problems with binary thinking and introduces a familiar concept, common sense. Watts explains that common sense does not mean we reacted too quickly or listened to our gut. Rather, it suggests that we contemplated the matter, albeit without undertaking any formal experiments or research. Instead, we relied on common sense.
Watts says this about common sense:
“What we don’t realize, however, is that common sense works just like mythology. By providing ready explanations for whatever particular circumstance the world throws at us, common sense explanations give us the confidence to navigate from day to day and relieve us of the burden of worrying about whether what we think we know is really true, or is just something we happen to believe.”
I cannot help but think about this idea all the time when discussing cybersecurity, and even more so when modeling cyberrisk. How much of what we know about the science of cybersecurity is just the collective wisdom of those who have worked as a chief information security officer (CISO) or a director at major organizations (and thus have survivorship bias)? Given the probability of loss at those same organizations (which is very low), how much can be attributed to their practices versus luck? The same people who work to build standards may very well reinforce the same biases.
If we apply Watts’ concept of common sense to the broad field of security, then we need to examine our approach to optimizing cybersecurity programs. Are we merely making sense of these programs based on our intuition, or do we truly comprehend their complexities? This leads one inevitably toward the need to conduct quantitative modeling of risk. If we assume that cybersecurity aims to protect organizations from risk, then we must ask how we can quantitatively measure risk and all the security activities that are required to manage it.
Quantitatively managing your security program means that you need to be able to give solid evidence-backed recommendations for how much budget should be allocated to cybersecurity (and more important to which control programs [at the expense of others]), how much insurance should be bought, and how much capital should be set aside for a bad day—and all three of these numbers need to be interrelated. Only through utilizing common sense do we cease to manage cybersecurity using the equivalent of mythology. It is always important to analyze our assumptions and ask if we truly know a thing (think parsimonious variables) or if we simply think that it is true.
Jack Freund
Is a cyberrisk quantification expert, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.