Speaking of Security – The RSA Blog and Podcast

Risk Management When Your Life Depends on It

By Ian Farquhar, Advisory Technology Consultant for RSA, the Security Division of EMC

On what basis do we make risk choices?

When in an unfamiliar retail store, and facing a POS terminal whose design one has never seen before, what reassures the average person that it is safe to swipe their card and type their PIN into that machine?  Worse, even if the POS machine is a familiar design, what is the rational basis for assuming it adequately protects card details?[1]  It certainly looks like a solid piece of hardware, but is it really?[2]

I regularly challenge people on this point, and the sad answer is usually a blank stare.  Is that even a question?  It should be, surely?

But what if the stakes are higher?   What if the stakes are someone’s – or in this case something’s – life?

Since EMC moved to St. Leonards in Sydney, I’ve had the wonderful option of using trains instead of cabs for commuting to meetings in Sydney’s Central Business District.  St. Leonards station has a large flock of pigeons who live in the nearby tower blocks, and these pigeons have learned that humans are dangerous creatures.

Except they seem to have learned something new as well…

As I was standing on the platform, I pulled out my smartphone to read email.  I glanced down, and a pigeon walked across my foot.  Not around my foot.  Not beside my foot.  Right across the top of my foot.  There was a morsel of food on the other side, and it clearly wanted that food before another pigeon saw it.

Aside from making a brutal observation about humanity (or this human anyway), I contend that this bird had made a rational risk choice in a situation where the potential outcome of miscalculation was it’s death.  I doubt a pigeon has the mental capability to understanding what humans are doing, but they have observed that when a human stares at something they’re holding in their hand, the level of threat they pose is significantly diminished.

This bird was trying to reach some food before another competing bird did, and as I was engrossed in my smartphone, it concluded me to be a low risk.  It was a classical reward/risk calculation.

Furthermore, this bird was constantly re-evaluating that risk, as once it saw that I wasn’t looking at my smartphone anymore, it reassessed it’s calculation as being too risky, and abandoned the reward.  The risk/reward scale had tipped the other way.

Pretty impressive for a bird often maligned as “the rat of the sky”.[3]

Do we, as humans, do risk/reward calculations well?  Are we as adaptable?

I’ve been doing security for over 20 years now, and I am unquestionably from the school who reflexively begins any answer with “no”. Although I am a recovering “Dr. No of Security”[4], these habits are hard to break. When the concept of public cloud computing arose a few years back – be it PaaS, IaaS or SaaS– it initially seemed like a joke in poor taste.  You REALLY want me to send  sensitive corporate data to some undefined data centre, where my only assurance of trust was a contract between our legal department?!  Between LAWYERS?!

But I contend that’s not a rational position.

Ian Farquhar is an Advisory Technology Consultant for RSA, the Security Division of EMC.  In this role, he advises organizations throughout Australia and New Zealand in areas including information security, cryptography, compliance, privacy and data protection.  Ian also contributes to R&D at RSA in the area of hardware security.  Ian is based in Sydney and has over 20 years of experience working in the IT security industry.

•