In Nassim Nicholas Taleb's book "The Black Swan", he explains a type of ingratitude that I think the security professional knows all too well. It goes something like this: Who gets rewarded by society, the person who nearly kills himself trying to avoid a huge problem or the person who corrects a bad situation after it is already in progress? History will show time and time again that it is the latter. He says "Everyone knows that you need more prevention than treatment, but few reward acts of prevention."
The other day, someone asked me "If this DNS Vulnerability was such a big deal, then why did we not see horrible things happen on the Internet?" We as humans find it difficult to value that which we don't know or have not directly experienced. There were many people working their tails off once they were notified of this DNS bug so that the highest level of preventative steps could be taken. I salute those who listened to what Dan had to say and took action.
The administrator that worked over the weekend to remediate an unruly set vulnerabilities will not be rewarded on Monday the same way that he would if problems happened over the weekend and he fixed it before doors opened on Monday. We prioritize our preventative measures on likelihood and impact and that is an entirely different topic for another blog entry.
The same pattern can be seen at the personal level where until you have a bout with death, preventative tasks just don't get the priority they deserve. IMHO, it comes down to an individual being able to experience the bad situation that is to be avoided so that when asked to spend time, energy, or money on the preventative action, the avoidance is self-evident.
If you follow me so far, you would come to a sociological theory of information security that says that in order for your community to understand the value of preventative measures, they must have had to experience that which is trying to be prevented on a personal level. Don't take this like I am trying to make everyone into a communicator of fear, not at all. All I am trying to do is to present the biases that we have as a society so that we can leverage them when it is appropriate to do so and we can avoid them when they get in the way of good decision making.
Comments (1)
Sure, but Taleb's conclusions aren't new :)
No one cares about the guy who's job it is to protect and make sure everything stays the status quo.
The risk profile, though essentially the same in either case in your example, is perceived differently by the people who it will effect because they have to actually *think* about their possible loss from that scenario.
By doing everything transparently to the end user ( whomever that may be in any case ), users do not see or think about the end result.
Who is doing a better job? The doctor who tells you to eat cheerios and exercise every day or the doctor who says nothing and saves your life after a heart attack? I would the say the former, but the latter will get all the attention.
In security, those who are likely the ones doing the best jobs are the ones who are noticed the least..... It comes with the territory.
Posted by Ryan | August 14, 2008 9:09 AM
Posted on August 14, 2008 09:09