Sharks vs. Vending Machines - Irrational Fear as Information Security Tool

I am a self-professed fan-boy of Freakonomics, and the two worlds collided for me today as I stood there in front of a camera and tried to explain to the average IT manager why sharks are less dangerous than vending machines... as per the Freakonomics statistical analysis. The thing is, technically this is correct, albeit a bit mind-blowing.

This great post on their blog titled "How are sharks less dangerous than vending machines? An exercise in conditional risk" tells you all about it, so I'll quote some of the relevant parts of the post... If you've never read the full article do yourself a favor and read it, especially if you live in Information Security for a day-job.

"Did you know that vending machines, not a major danger in most of our minds, are twice as likely to kill you as a shark? .. I found that the comparison was correct. The yearly risk (in the United States) of dying from a shark attack is roughly 1 in 250 million. In contrast, the yearly risk of dying from a vending machine accident is roughly 1 in 112 million. The vending machine is indeed roughly twice as lethal as the shark!" (Sanjoy Mahajan, Freakonomics site)

Aside from being entertaining and fun to use as a quick quip at parties, what does this factoid have to do with enterprise information security? Everything!

Think about what the media and often time you are teaching your executives to fear... no really, think about it. We're conditioning executives and business leaders to fear the hacktivist, the 'chaotic actor', and the state-sponsored advanced persistent threat (yes, I went there, deal with it). Yet how many of you reading this right now have ever been targeted by a nation state, versus the odd malicious drive-by download that happened to infect your CEO's laptop because his kid plays World of Warcraft on it and was looking for cheats so they installed a random executable. Or how about intellectual or corporate property theft cases where the main cause was a configuration error or oversight which would have let anyone with even a remedial grasp of computers copy and 'steal' terabytes of corporate secrets?

So what do you fear, the shark or the vending machine? If my employment history has taught me anything it's that we fear the absolutely wrong thing, and it's entirely irrational. Many of us are driven by headlines which dictate how we will decide to protect ourselves, or we're driven by the fear-based knee-jerk reactions to Chicken Little executives who happen to get the spotlight on the morning financial analysis show. Am I right?

To make this more real, look at the project you're proposing for your next yearly budget. How many of those projects would you put in the 'advanced threat mitigator' bucket, versus how many of them are 'basics' or 'foundational' aspects of information security. If you've got anything in the 'advanced threat mitigator' bucket - let me ask you if you believe you've got all of your basics covered. Do you do asset management, change management, identity and access management, and basic policy governance well enough to where you feel that you have those 'under control'? If you've answered anything but an emphatic "yes" then you're afraid of sharks, when you should be fearing the vending machine. You're afraid of China or Anonymous, when you should be worried about Bob in accounting who's copying off those quarterly reports to Dropbox unencrypted because he doesn't know better... 

I mentioned a few things in the previous paragraph which I think are foundational to good security. I strongly feel that asset management, change management, identity and access management, and basic policy governance are the absolute minimum table stakes (to quote Jeff Reich). Organizations that aren't doing the absolute basics but are chasing WAFs, and are concerned about APT (even if rightly so) are lost hopelessly in a sea of ineptitude that there is only one way out of. Fear the vending machine, people. Fear, or perhaps better said... respect the minimum, basic, table stakes of the security game. Know that preparing advanced threat counter-measures sounds ridiculous when you have a porous defense that this advanced counter-measure would sit on top of. To paraphrase Monty Python's "Holy Grail" - you can't build a castle in the swamp, because it'll sink into the mud onto the poor foundation...

I think you get the point, right?

Here's the other part of this argument - it really is about conditional risk. Sharks should scare you if you're in waters known to be inhabited by these creatures of the deep ...while the cafeteria at the office should be the source of your vending machine fear. The conditions around which you fear one risk or another are critical too. The reason most of us will never see an APT-style attack is that we don't work for agencies or contractors of the state, or companies tied to them. If you work for a retail outlet with a website the crime syndicates probably won't target you with their advanced 0-day burning attacks ... you're likely to fall victim to the accidental drive-by bot installation than anything else. It's all in the condition you operate in ... as much as I think this may just be one of those self-evident things... it's obviously not.

This brings me to harp on one more final point I've made before - if you don't know the modus operandi of your enterprise or organization how in the world do you hope to protect it from anything? Is your company in the business of state secrets, or do you sell logo T-shirts to teenage vampire fans? These are different business profiles with different associated threats. One may likely have to worry about the shark and the vending machine getting after them, while the other should just worry about the vending machine... it's all a matter of conditions. Makes sense, right?

Know your business and operating environment. Don't spend too much time teaching your executives to fear the big scary shark in the form of a malicious, advanced, state-sponsored advanced threat when you can't even revoke a former employee's credentials in a timely manner. I hope the point is clear.

For extra snarky humor, read the XKCD cartoon on risk at the bottom of the post I'm referencing in this blog ... hilarious as always.

Beware the vending machines folks, they'll get you if you're not careful!

I will link the video Jake Ludington and I recorded on the topic as soon as it's posted.