Had you believed the headlines over the last twelve months, some of our most commonly used technologies would now be unusably insecure, including Bluetooth, WPA2, and any Intel or AMD processor made after 1995. Add to that the constant, ominous threat of the latest and most terrifying form of ransomware, and you could be excused for thinking that securing your devices and networks is a lost cause. Yet just as quickly as these threats appear, they often seem to fade away. While of course this is largely due to the protection offered by security patches, I believe there is something more interesting at play. The Chicken Little syndrome that infects so many organisations in the aftermath of an announcement of a new vulnerability or malware strain, is undeniably pervasive and can cost organisations millions in wasted time and resources.
In the last issue we looked at Spectre and Meltdown – attacks that leveraged speculative execution with potentially disastrous results, including sensitive information disclosure and browser-based remote code execution. However, we also uncovered why these vulnerabilities are unlikely to be your organisation’s most pressing cyber risk. Using the analogy of worrying about the tyres of a burning car, I proposed that security decision-makers can easily fall foul of paying disproportionate attention to the new and exciting, while continuing to overlook the enduring and mundane, exposing organisations to risks that are far more potent. In this issue, we will look at how the 24-hour news cycle may affect public debate and lead to security decisions that are unnecessarily influenced by hype. We will also look at trending security search-term data over the last 12 months, contrasted against breach and security expenditure statistics, to demonstrate how this cognitive bias may play out at scale. To continue the analogy from Issue 4, organisations are buying new tyres, but wondering why their cars are still burning. To help manage this risk, I will offer some structured analytic techniques that can counter cognitive bias or group-think to ensure your security strategy is delivering the best possible return on investment…Click here to read full article.
