CISO Sensibilities: The Misperception of Risk

Let’s start with acknowledging that likely all of us has seen the movie Titanic, and for the one or two of us that missed that cinematic score that was nominated for 14 Academy Awards, winning a record-tying 11 (Ben Hur), I recommend it alone due to its production values, direction, score, story and emotional depth, but you are likely familiar with the subject matter regardless.

Over one hundred years ago, the “unsinkable” Titanic foundered after striking an iceberg off the coast of Newfoundland. More than 1,500 people died in what became one of the deadliest maritime accidents ever.

Several factors contributed to this massive death toll, but perhaps the most critical was that there simply weren’t enough lifeboats. The ship carried 2,224 people, but fewer than half of them could squeeze into the boats. As we know, passengers who didn’t get a spot in one of those lifeboats quickly died in the freezing waters of the North Atlantic.

What’s less well known is that the Titanic’s supply of lifeboats was in full compliance with the British marine regulations in force at time. The law required the ship to carry 16 lifeboats; the Titanic actually had 20 lifeboats. The ship’s owners did a good job of providing enough boats to address the regulatory risk of noncompliance. Unfortunately, meeting regulatory requirements did little to prevent the tragic loss of life. The photo below shows the Titanic in 1911 on the bottom and it’s near identical twin, RMS Olympic, in 1912 with the red circles counting the number of lifeboats. 

This is a case of misperception of risk. The owners focused on mitigating the regulatory risk, apparently blind to the much larger risk of disaster. They framed the lifeboat issue as a compliance item that needed to be addressed so that the ship could start carrying passengers and generating revenue. One could argue that if they had stepped back and considered the potential consequences for the customers rather than the company’s short-term priorities, history might have unfolded differently. Reports suggest that the Titanic had enough capacity to easily add enough lifeboats for everyone on board, had the owners chosen to do so. What does this example have to do with managing information risk? We encounter misperceptions every day within the realm of enterprise risk and security.

Every organization has a greater responsibility than simply complying with regulations. We must think about whom is ultimately at risk: the company or the customer? Furthermore, everyone in the organization has their own priorities and their own subjective view of risk. Unless we mitigate these misperceptions, they can have disastrous consequences. As a result, I believe that the misperception of risk is the most significant vulnerability facing enterprises today and the future.

That misperception is guided by the biases that we all bring to the problem based on our backgrounds, our education, the budgets we’ve got, the psychology, the sociology of things. And so, when I look at misperception of risk as a vulnerability, the mitigation for it is diversity of perspective. I always try and inject a diverse perspective to ensure that the contrast and the contours of the dialogues occur. In fact, the World Economic Forum (WEF) publishes their Worldwide Risk Report every year. I’ve been reading it since 2018 to broaden my own perspectives, but cyber-attacks have been present every year since which is why this report was brought to my attention back then. The WEF Global Risk Report covers climate change, income disparity, polarization of societies and so on. In 2024, AI-generated misinformation and disinformation has entered the top 5 along with cyber-attacks, and the 2-year and 10-year severities account for adverse outcomes of AI technologies.

As security professionals, we tend to think about objective ways to estimate risk—to assess the likelihood and extent of harm that can occur due to specific threats and exploitabilities.

In reality, the way people perceive risk has a strong subjective component. Economic and psychological factors greatly affect how each of us perceives the likelihood and potential impact of harm from specific actions or situations. Within an organization, each individual’s perception of risk varies depending on his or her job role, responsibilities, goals, background, and peer group. This means corporate directors, security professionals, and end users all may have a different view of the risk associated with a specific decision, technology or action.

Misperceiving risk has serious consequences because our actions are shaped by our perception of risk. An employee may think that posting personal and work-related information on a social media site is relatively harmless. However, threat actors might use this publicly available information in social engineering campaigns to gain access to enterprise systems via the employee’s device, ultimately resulting in detrimental security breaches.

I read a paper on the WEF a few years ago called Managing in the Age of Meltdowns; one of the things talked about in this was the need to encourage skepticism. To manage risk more fully, leaders need to cultivate skepticism through diversity. They point to some research that indicates that diverse groups ask tougher questions, share more information, and discuss a broader range of relevant factors before deciding. Researchers found that banks with fewer bankers on their board were less likely to fail. The explanation was non-bankers were more likely to disrupt groupthink by challenging seemingly obvious assumptions.

That’s what I tend to do, and my current team can attest to this.  The CISO In Residence team historically had very well-defined requirements for candidate consideration: former Zscaler customer, CISO or -1 from the CISO, implemented and operationalized Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) for a global organization, and their departure would not impact or disrupt the current Zscaler-customer partnership. Aside from the candidate pool being whittled down by 99%, we essentially were looking for purple squirrels.

On top of that, while having the experience mandated through team governance, I saw that we were creating a risk by having essentially a team of clones – we all had the same experience and skill set, and we all sounded alike, thought alike and even started looking alike to the point where you would have thought we were all born and bred on the planet Kamino. We needed diversity of perspective, and I found it in a current team member, who worked at a partner organization in their Office of the CISO.  I pushed, cajoled, lobbied and argued for his consideration through exemplary choice architecture and the chance was given, a decision was made, and here I sit four years later, and that candidate has and continues to be my colleague with an undeniable track record of experiences and impact supporting security transformation engagements with customers across the world.

Employees misperceiving risk is an all too common occurrence and is generally understood by the masses, which is why security and risk teams have a broader role in organizations today. This allows them to assess project-level security impact to ensure there is acceptable level of information security risk with the processing, handling and storage of data, which would also include the use of technology, ensuring this also aligns with current corporate governance and any regulatory requirements. However, the risk and security team may also misperceive the risk. Let’s go back to the social media use case. It’s fair to say plenty of Security teams misperceived the risk of social media but in the opposite direction: they overestimated the risk and underestimated the benefits. They may not like social media because it creates vulnerabilities for both data loss protection and malware dissemination through endless 3rd party add-ins, and their perception then drove them to focus on minimizing the risk by trying to block the use of the technology.  Imagine if one of your business competitors was running away with market leadership largely to their use of social media for strategic marketing while your business adhered to the draconian control the Security team put in place and never looked at social media as an innovative differentiator.

While end users tend to underestimate the risks of a desirable activity or technology, security professionals sometimes display the opposite tendency. We focus obsessively on the information risk associated with a specific threat or vulnerability. In doing so, we completely miss bigger risks. This phenomenon is known as target fixation, a term originally coined to describe a situation in which fighter-bomber pilots focus so intently on a target during a strafing or bombing run that they fail to notice the bigger risk to themselves and crash into the target as a result.

As information security professionals, we can develop a similar fixation. We focus so intently on one risk that our awareness of larger hazards is diminished. This target fixation can also occur in other groups with “control” functions within the organization, such as internal audit, legal compliance, and corporate risk management. Here is an example from my own experience as the CISO of a 550-bed health system.

Several years ago, we discovered that malware had been introduced onto our network from an employee’s personal computer. We became so focused on this source of danger that we eliminated all personal devices from our network. We further fueled our target fixation by labeling these rogue devices “non-hospital managed systems (NHMS).” A term (pronounced “nims”) that reflected the frustration over our lack of control. I vowed we would never again allow network access from devices that we didn’t fully control.

However, by becoming fixated on a single threat, we may have created some larger risks and additional costs. For example, we needed to issue contract employees and even PRN nurses with corporate devices, each of which allowed broader access to the hospital network. If we had instead focused on how we could provide limited access to the environment from “untrusted” devices , we might have managed the risk with lower total cost and obtained a head start in developing a key aspect of a more flexible security strategy.

It’s worth noting that security professionals can also suffer from a problem that’s almost the opposite of target fixation: alert fatigue. At many organizations, security groups experience a constant deluge of thousands of alerts emanating from security tools across the enterprise. With so much noise, it’s easy to become overwhelmed and miss important threats. As security professionals, we also may misperceive risk due to the tendency to “set and forget” security controls. This is yet another irrefutable law of security - the efficacy of a control deteriorates with time. Once in place, controls tend to remain static, but the threats they are intended to mitigate continue to evolve and change, sometimes in very dynamic ways. Controls that are initially very effective can become inadequate over time. Ultimately, an adverse event may occur and may even have disastrous consequences.  We should understand this notion incredibly well, because this is precisely what Zscaler has been displacing for almost two decades now.

Within enterprise IT, a typical “set and forget” error is the failure to keep controls up-to-date, particularly if the controls are designed to mitigate a relatively low risk. A case in point: distributed denial-of-service (DDoS) threats were a big concern more than a decade ago, due to widely publicized attacks by worms such as Code Red, Nimda, and SQL Slammer. These attacks disabled corporate web sites or flooded internal networks by overloading them with requests. To mitigate the availability risk, many organizations invested in defenses against DDoS attacks.

Over time, however, DDoS attacks became less frequent, and organizations were assailed by newer threats. With limited resources, information security groups focused on mitigating these new threats rather than continuing to build defenses against DDoS attacks. At the same time, though, businesses were increasing their online presence. Web sites evolved from being used primarily for advertising and displaying static corporate information to managing business-critical data and applications through SaaS, IaaS and PaaS models. Some organizations began conducting all their business online. Even traditional brick-and-mortar businesses moved customer support, order management, and other critical business processes onto the Web. The larger online presence multiplied the potential impact of a successful attack. As a result, when DDoS attacks from a variety of groups resurfaced in the past few years, they created even greater disruption to business operations as well as damage to corporate brands.

It should be apparent by now that the tendency to misperceive risk is universal. We need to find ways to help compensate for this misperception, given that it is our job to manage risk. As security professionals and managers, how can we mitigate the misperception of risk?

 We can start by ensuring that we include a diversity of viewpoints when making risk management decisions. Whenever possible, we should involve a broad cross-section of individuals representing groups across the organization. This diversity helps compensate for individual biases. However, assembling the right mix of people is only the first step in building a more complete picture of risk. As information security and risk professionals, we need to ensure that the discussion brings up new perspectives and views. We must ask penetrating questions designed to bring alternative viewpoints to the surface. I think of these as high-contrast questions because the process is analogous to adjusting the contrast or colors of a photograph to highlight key elements of possible interest. This questioning counteracts the inevitable bias due to target fixation. We can also help counter target fixation by simply recognizing it exists, and then consciously trying to see the problem from someone else’s viewpoint.

In addition, we need to continually seek out the minority report, the view that is contrary to perceived wisdom. If the majority is telling us to turn right, are we missing something important that we’d find out by turning left? In a striking example, Israel’s Directorate of Military Intelligence considered this viewpoint so important that it created a devil’s advocate office as an institutional safeguard against groupthink. The office’s job was to criticize analysis coming from the Directorate’s other divisions and write papers countering the analysis. In order to explore alternative assumptions and worst-case scenarios, it examined possible radical security developments scenarios, including those that the defense establishment considered unlikely. Notably, the office was staffed by experienced, highly regarded people known for their creative thinking, and its reports went directly to all major decision-makers.

George Bernard Shaw, the Irish playwright and political activist, who provided us the incredibly important Pygmalion, once said “Those who cannot change their minds cannot change anything.” The moment we want to believe something, we suddenly see all the arguments for it and become blind to the arguments against it. We see how devasting the misperception of risk can and has been, and to foster the mitigation around diversity of perspective is building an inventory of examples showing how other organizations ignored similar risks and experienced adverse consequences as a result, usually mimicking behavior of an ostrich by proverbially sticking their head in the sand. The more examples we compile, the harder they are to ignore. Eventually, you have a database that illustrates and provides awareness of how and where things have gone wrong, and hopefully it becomes much more difficult to find enough sand to stick your head in.