Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

How Near-Miss Bias Affects Risk-Based Decisions

Once you have calculated risk to present to decision makers, your job is not yet done. The data you present is perceived through cognitive filters before a decision is made. Near-Miss Bias is a cognitive bias that affects risk decision-makers in particular and Risk Professionals need to know how to communicate risk in such a way as to account for this effect.

  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci

How Near-Miss Bias Affects Risk-Based Decisions

  1. 1. HOW NEAR-MISS BIAS AFFECTS RISK-BASED DECISIONS JORDAN SCHROEDER, CISSP, CISM
  2. 2. INTRO WHO AM I ▸ Member of the GRC team at Visier, Inc ▸ Moderator of Security StackExchange ▸ Former teacher, actor, singer, director, Coast Guard Officer, undertaker, database designer, tax preparer, business owner, day trader ▸ http://www.linkedin.com/in/schroederjordan ▸ http://security.stackexchange.com/users/6253/schroeder ▸ https://gophishyourself.wordpress.com
  3. 3. INTRO RISK IS NOT ENOUGH ▸ You’ve done your calculations ▸ You’ve drafted a clear report ▸ Your research shows that a Threat is not going away ▸ You present your report expertly to decision makers ▸ They make the wrong decision … ▸ Why??
  4. 4. INTRO RISK IS NOT ENOUGH ▸ Data alone does not result in appropriate action ▸ Data is interpreted by the audience through a number of filters ▸ Those filters determine the resulting action ▸ “Near-Miss Bias” is a unique filter that requires specific handling
  5. 5. INTRO THIS PRESENTATION IS A SUMMARY OF: 2008 How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Robin L. Dillon Catherine H. Tinsley McDonough School of Business, Georgetown University, Washington, D.C. 20057
  6. 6. INTRO THIS PRESENTATION IS A SUMMARY OF: 2012 How Near-Miss Events Amplify or Attenuate Risky Decision Making Robin Dillon-Merrill Catherine H. Tinsley Mathew A. Cronin
 McDonough School of Business, Georgetown University, Washington, D.C. 20057
  7. 7. WHAT IS IT?
  8. 8. WHAT IS IT? COLUMBIA SHUTTLE DISASTER 2003
  9. 9. WHAT IS IT? COLUMBIA SHUTTLE DISASTER 2003 ▸ Shedding of tank foam during ascent happened frequently ▸ Caused by debris hitting the tanks ▸ “With each successful landing, it appears that NASA engineers and managers increasingly regarded the foam- shedding as inevitable, and as either unlikely to jeopardize safety or simply an acceptable risk.” ▸ (Columbia Accident Investigation Board Report, Volume 1, 2003, p. 122) Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
  10. 10. WHAT IS IT? COLUMBIA SHUTTLE DISASTER 2003 ▸ Probabilistic analysis performed in 1990 determined that debris strikes could be catastrophic ▸ Foam loss occurred on 10% of flights ▸ Damage to foam every flight, with an average of 143 divots per flight ▸ How could this ‘obvious’ problem be overlooked? Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
  11. 11. WHAT IS IT? NASA EXPERIMENT ▸ Information Management Business students (with training in stats and probabilities) put through a simulation where they have to navigate the Mars Rover from one crater to another ▸ Each simulated day, given a weather report, the participant needed to decide to stay or move on given the weather’s chance of causing a wheel failure Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
  12. 12. WHAT IS IT? NASA EXPERIMENT ▸ Those who ‘survived’ the risky choices were more prone to making riskier decisions for the next day ▸ Even when presented with the probabilities afresh each day, participants still incorporated the previous successes into their decisions, even if they did not make as many risky decisions ▸ When given the choice of knowing Near-Miss data or other data, participants were less likely to seek other data Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
  13. 13. WHAT IS IT? NEAR-MISS ▸ People tend see events as linked and not independent ▸ “hot streaks” ▸ People with Near-Miss information tend to skew towards riskier decisions Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
  14. 14. WHAT IS IT? NEAR-MISS ▸ People do not ignore the other data ▸ People use the data from the Near-Miss events as a source of optimism ▸ More Near-Miss data exacerbates the problem Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
  15. 15. WHAT IS IT? NEAR-MISS SPECULATION: BAYES ▸ Near-Miss data incorporated with statistical data ▸ Like an inherent Bayesian analysis ▸ “My successes were because the probabilities were general and not applicable to my specific situation. My probabilities are different.” ▸ (Stats) x (Near-Miss adjustment) ▸ version of the Gambler’s Fallacy Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning Management Science, Articles in Advance
  16. 16. WHAT IS IT? INFOSEC NEAR-MISSES ▸ Viruses caught on endpoints ▸ Brute-force attempts ▸ “Background radiation” ▸ Phishing domains ▸ Vishing calls
  17. 17. WHAT IS IT? INFOSEC NEAR-MISSES ▸ “We have never had a breach” ▸ that we know about … ▸ “All these alerts are just noise” ▸ Incident Response teams are absorbing a lot of budget in hunting down all these false positives ▸ “They are just script-kiddies who don’t know what they are doing” ▸ There is no real threat
  18. 18. MISS - COMMUNICATING
  19. 19. MISS - COMMUNICATING NEAR-MISS COULD BE INTERPRETED TWO WAYS ▸ Disasters that did not occur ▸ Resilient Risks ▸ “Yay! I didn’t die!” ▸ Disasters that almost happened ▸ Vulnerable Risks ▸ “OMG! I almost died!” Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
  20. 20. MISS - COMMUNICATING RESILIENT RISKS ▸ Results in riskier behaviours ▸ Reduction in mitigating behaviours ▸ Explicit Likelihood calculations do not change ▸ merely quietly ‘enhanced’ with a Bayesian factor when there is a call to action Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
  21. 21. MISS - COMMUNICATING THE HIDDEN CALCULATION ▸ You present your risks ▸ You present your calculations ▸ Your audience agrees with it all ▸ Your audience quietly applies their own Bayesian Near- Miss factor ▸ Your audience then decides ▸ budget, personnel, InfoSec projects, etc. Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
  22. 22. MISS - COMMUNICATING PRESENT VULNERABLE RISKS ▸ If Near-Miss information was communicated as Vulnerable Risks, (“we almost died!”): ▸ and if the audience accepts that framing ▸ the effects of Resilient Risks are countered ▸ more mitigating behaviours are used Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
  23. 23. MISS - COMMUNICATING VULNERABLE CHALLENGES ▸ The audience might not accept your framing ▸ becomes a messaging issue ▸ Creates a tone of negativity (less fun, less value) ▸ The mitigations become devalued! ▸ The messenger becomes devalued! Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
  24. 24. MISS - COMMUNICATING COMMUNICATING RISK ▸ Focus on the Probabilities ▸ Frame past events as independent and not a chain ▸ Focus on the potential impact ▸ Frame Near-Misses as Vulnerable Risks Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
  25. 25. MISS - COMMUNICATING COMMUNICATING RISK - JORDAN ▸ Focus on Procedural Resiliency ▸ Combat Vulnerable Risk negativity by celebrating the resiliency of the Risk process ▸ “Yay! We are surviving because we are using the right mitigations!” ▸ Make insurance sexy
  26. 26. MISS - COMMUNICATING COMMUNICATING RISK - JORDAN ▸ Our detective controls are working! ▸ IR teams have confirmed that our users, our data, and our systems have not been compromised ▸ Our defences are effective against script-kiddies ▸ What are they not effective against?
  27. 27. NEAR-MISS AS RISK ASSESSMENT
  28. 28. MISS - ASSESSMENT CHEAP DISASTERS ▸ Treating Near-Misses as Resilient Risks means that one might ignore them ▸ Instead, treat them as Actualized Risks for purposes of Risk Assessment ▸ Disasters that don’t cost the organization anything Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
  29. 29. MISS - ASSESSMENT CHEAP TRICKS ▸ Often the same pre-conditions as a real disaster ▸ Easy way to identify hazardous conditions ▸ Encourage and reward the reporting of Near-Misses ▸ Helps to encourage an organizational culture of safety Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
  30. 30. MISS - ASSESSMENT EXAMPLE IN INFOSEC ▸ A/V alerts that it caught a virus in an email attachment ▸ not executed, no actualized risk ▸ Every once in a while, treat it as though it was an actual infection ▸ Run the Incident Response process ▸ great training for new members ▸ Identify all vulnerable areas that were involved
  31. 31. MISS - ASSESSMENT EXAMPLE IN INFOSEC ▸ Recalibrate the Risk Assessments of that area ▸ Mitigate vulnerable areas ▸ Trains everyone involved ▸ Streamlines the processes ▸ Encourages a culture of safety ▸ Old-fashioned fire drill but with a real threat
  32. 32. SUMMARY
  33. 33. SUMMARY NEAR-MISS ▸ Past events seen as linked ▸ Near-Misses used to adjust probabilities ▸ Near-Miss data preferred over other data ▸ Used to justify riskier behaviours
  34. 34. SUMMARY COMMUNICATING NEAR-MISS ▸ Focus on Probabilities ▸ De-link events ▸ Focus on potential harm ▸ Shift to Vulnerable Risks ▸ Focus on Procedural Resiliencies ▸ Combat negativity
  35. 35. SUMMARY NEAR-MISS ASSESSMENTS ▸ Treat Near-Misses as opportunities ▸ Cheap Disasters ▸ Fire Drills ▸ Identify Vulnerable areas ▸ Communicate the importance of reporting Near-Misses ▸ Encourage a culture of safety
  36. 36. THANK YOU &
 HAPPY RISKING!

×