Chandler makes many good points about why people avoid dealing with risk management. My favorite is this one:
- People still can’t get their head around the idea of probability.
Why is it that they can understand that there’s a 25% chance of rain tomorrow or how much they stand to gain on a $2 ticket if their horse in the third race wins at 11-1, but not that there is a high likelihood that the critical vulnerability they refuse to patch will get worm’ed?— Reasons not to manage risk, by Chandler Howell, Not Bad for a Cubicle, May 15th, 2007
Because they're getting paid now and they don't think ahead?
Chandler has another, more specific answer:
It’s funny, but I think this one answered itself for me. Qualitative versus quantitative. It’s not that people can’t understand probability. It’s that “high” and “critical” that screw them up.
If I re-write it as:
There are worms “in the wild” exploiting this vulnerability which will gain admin access to your laptop or server and {trash it|steal your data|etc} needing nothing but being on the same network with it, and those worms have been spotted on our network.
Does that help?
I guess I'd say that helps some, but it doesn't really quantify the situation. This reminds me of dealing with reporters: they like numbers, especially ones they can demonstrate to themselves add up, because that makes them feel more certain and their readers think they're more authoritative. And reporters may know something about what people in general want to be convinced of something. (Pictures help, too.)
Have I mentioned Metricon lately?
-jsq
My guess is that most people just don't believe the numbers.
When I hear a number that says "5% of all people have been phished" or "40% of users don't notice the lock icon is not there" I am skeptical.
What I've noticed is that when "experts" present numbers authoritively, and those numbers are untrustworthy, people smile and say "ok". They may even repeat the numbers if they need to, but that doesn't mean they believe or act on them.
The days are gone where people just believe stats, especially security numbers. But also gone are the days where people are forced to actually back up their numbers. I'm not sure how to improve on that situation.....
(manual ping to Is this Risk Management's Waterloo? )
Posted by: Iang (Risk Management's Waterloo?) | May 18, 2007 at 03:03 PM