Trust Economics

Rich Mogull of Securosis has posted a blog entry about “Selective Inverse Recency Bias In Security”. The article discusses some of the psychological and emotional foundations for identifying trends in security events and justifying security management decisions.
The article reiterates some truisms relating to human behaviour as a component of an organisation’s security environment (“We know that human behavior doesn’t change, people will make mistakes, and are predictably unpredictable”). It does also however serve to highlight that in order to be objective, security managers must acknowledge their own innately human responses to security events.
Security managers should keep in mind that even with a wealth of monitoring data and preventive controls at their disposal, it is still possible that they may respond to security threats in a human way, i.e. an emotive way. Their beliefs and ‘gut feelings’ about past events will influence the management decisions they make in the moment. The Securosis article argues that an emotional investment can only serve to skew trends and data in a security manager’s mind, in a way that could potentially drive them to find the evidence that supports their emotionally-driven decisions to the exclusion of that which does not.
Shostack and Stewart’s “The New School of Information Security” discusses how security managers can consciously use fear as a tool to justify security decisions and expenditure in the boardroom. However these same security managers may also subconsciously use this fear as a tool to convince themselves of the efficacy or inappropriateness of a given approach (depending on their feelings toward it), by disregarding those events (both recent and historical) that do not support their established way of thinking (or in this case, feeling).
Arguably, security managers operate in an environment that is naturally predisposed to fear and suspicion. Previous experiences and monitoring data may be used selectively to justify management decisions that have already been pre-determined by these emotions. It is perhaps just as important then to equip security managers with the emotional tools to be able to weigh the benefits and risks of a given course of action, so that decisions are not only justified, but also rational.