Humans are bad at perceiving both real-world and cyber-risks, according to McAfee CTO Steve Grobman at an RSA Conference 2021 keynote Tuesday. He added, however, that it is possible to improve this perception skill using a science- and data-based approach.
During his RSA keynote titled "Bathtubs, Snakes and WannaCry, Oh My! Risk in the Physical and Cyber World," Grobman utilized a premise that people tend to misperceive risks. He gave initial examples of snakes and tornadoes, and explained that despite those being common fears, not many people die of such things annually in the U.S.
He pointed to the media as one party responsible for this, saying certain types of tragic events get overrepresented compared with how widespread they actually are. In addition, he referenced a unit of risk called a micromort, developed by Stanford University professor Ronald Howard and used to determine the chance of death from some type of activity or experience. One micromort refers to a one-in-a-million chance of death; driving 230 miles has a 1 micromort risk, while hang gliding has an 8 micromort risk.
Grobman connected this to cyber-risk, and said that many in cybersecurity likewise miscalibrate their risk based on traditional and social media sources. Individual events like the Equifax, Democratic National Convention and Ashley Madison breaches get more attention in mainstream sources, Grobman said, than things like TrickBot campaigns -- though he acknowledged that the aforementioned breaches are newsworthy.
"If you think about the physical world, whenever we have a big tornado here in Texas it's a big story in the news, and they've got pictures of the destruction and the carnage. In reality, not a lot of people die of tornados," Grobman told SearchSecurity. "If you then start pivoting to the cyber world, we see very similar patterns where we get hyperfocused on salacious, high-profile events that are interesting, but aren't going to be the exact kind of scenario that an organization needs to worry about, especially when it comes to single-organization types of attacks."
The solution, then, is to weigh cyber-risks by measuring the impact of a threat versus how many organizations are affected by it, Grobman said.
Responding to various risks requires a broad approach, featuring both human and technology-based responses. Specifically, good cybersecurity hygiene (like cyber education and enabling multi-factor authentication) can limit lower-impact threats, while threat and artificial intelligence tools can be used to handle various campaigns and exploits, and humans and machines can respond to human-operated cyberattacks.
The bottom line, Grobman concluded, is that organizations need to accurately measure risk in order to utilize their security budgets most effectively. Watch the news, he said, but base organizational decisions on -- and counter natural instinct with -- data.
"We can't defend our organizations by acting on gut instinct," Grobman said at the end of his presentation. "Just as it's counterintuitive that in the physical world, an investment in $6 anti-slip bathtub stickers provides a higher return on risk mitigation than a $4,000 tornado shelter, implementing multi-factor authentication likely reduces more risk than mandating third-party code audits in an attempt to address supply chain attacks."
Alexander Culafi is a writer, journalist and podcaster based in Boston.