Thursday, September 30, 2010

Risk Homeostasis as Applied to Information Security.

I recently came across the term risk homeostasis,which is in a nut shell people have a certain risk tolerance and efforts to reduce risk in one area will increase risk in other areas. A well sighted example of this was a  study of taxi cab drivers in Munich Germany. The study equipped half of the cabs with ABS (anti-lock braking system) and the other half without them. As ABS is designed to reduce the risk of an accident during sudden braking, you would think the net effects of installing ABS would be a reduction of accidents in cars with ABS. However the opposite is true, Cab drivers with ABS equipped cars increased accident risk by modifying other behaviors such as speeding and more sudden breaking as they assumed ABS would take care of them. But it doesn't.

As I think of this concept and how it effects the information security industry I would like to offer my observations in the following example.

A/V and the user:

Since the early years of the PC, viruses have become a dominate force in the computing landscape, spawning a multi-billion dollar industry. It is a common belief having anti-virus software much like ABS for cars  will protect your computer from contracting a computer virus, and if users stick to word processing, exercise caution in email, and are vigilant about updating their software this might be true. However, users know they A/V software they expect it to protect them so they modify their behavior. Computer users become lax about updating their software, download music, movies, games etc.. from file sharing applications, they disregard what they have been told about safe email practices and consequently they have accidents their computer become infected.

As a collective we think of A/V software working in much the same way as getting a vaccination for small pox, we get the vaccination plus any required buster shots and we don't get small pox, end of story. Except while A/V software is designed to work in the same way it doesn't. A/V software as an industry catches 80% to 90% of know viruses which is fairly good odds unless your particular software doesn't catch the one you come down with. However, virus writers have figured out they can mutate the virus code and make it less detectable leaving the industry in my experience catching 60%-70% of mutated viruses. Now if A/V software is presented with a truly novel virus the odds of successfully detecting the virus with A/V software in my experience plummet somewhere south of 10%. This is the part end users and many IT folks fail to grasp, their odds of coming across a novel or mutated virus is a 1000 times more likely.

Don't get me wrong I am not saying A/V software is useless, I actually do highly recommend it. What I am saying is, in assuming A/V software will protect us from viruses we have failed to recognize and appreciate the willingness of users to modify expected behavior and take on more risk based on faulty assumptions. 

No comments: