A few years ago I found myself teaching some of the skills of project management to a group of people who worked at a shipping insurance company. There was a module about risk management, and I was somewhat daunted by presenting it to a group of people whose professional life revolved around the assessment of risk. The simple model that I had for them felt insubstantial – risks should be assessed in two dimensions: the likelihood of the risk occurring, and the impact that it would have if it were to occur.
Mitigate against high likelihood risks, insure against high impact, low likelihood risks, and you can pretty much not worry about things that fit into the low/low category.
After somewhat apologetically introducing the subject, one underwriter in the audience reassuringly told me that that’s exactly what they did too (and also went on to explain that the insurance industry is in large part about conning people into insuring against Low/Low risks).
I’ve been thinking about these dimensions of risk recently when looking at what I see as increasingly poor coverage in the trade and general press about matters of IT security. Take, for example, today’s “news” that a Samsung Internet Fridge can be hacked. This is not a news story.
The “risk”? That your GMail login details can be found. The likelihood? Next to zero: Internet Fridges are a piece of futurology myth akin to the silver suits that we were all supposed to be wearing by 2015. You don’t have one, I don’t have one. But even if you did have one, you’d also have to be using an open wireless network at home. Which if you’re the sort of person who buys an Internet Fridge, is just not going to be the case. And if you’re the sort of person who has an Internet Fridge, you’re also almost certainly the sort of person who uses two-factor authentication, which mitigates against the low likelihood of this chain of events happening (we haven’t even considered the low chance of there being a malicious hacker hanging about where your Internet Fridge lives, looking to hack it for your Google password).
The issue with the reporting is that, as a result, the general noise about information security risk is raised, and the likelihood that anyone does anything about anything important (like turning on 2-factor where ever they can) drops accordingly. The reporting of low impact, low likelihood non-risks is making our overall security worse because of cry wolf scaremongering.