Perceived Security vs. Real Security

M.C. Escher (1898 – 1972), Bond Of Union, 1956.

Risk mitigation is about making an assessment more or less objectively of possible circumstances and events that might determine an impact. The perception of risk is an important factor to determine how humans make decisions on how mitigate risks. Human perception of risk is biased by facts and assumptions that might prevent objective and factual judgment of risk mitigation. Some of these perception factors are not risk factors are driven by human emotion and experience.

One important factor is fear, consider for example these data as fear relates to perception of risk:…the fear of earthquakes has been reported to be more common than the fear of slipping on the bathroom floor although the latter kills many more people than the former...the fear of a flying is still widespread despite the chances of being involved in an aircraft accident are about 1 in 11 million while your chances of being killed in an automobile accident are 1 in 5000. Bruce Schneier has actually posted on his blog some other interesting examples of human perception of risk. How perception matters for security risk professionals ? Well, assume you would like to drive security decisions, then understanding of human reaction to risk is critical factor to consider in risk mitigation decision making.

Understanding cognitive science basics is very important. Consider for example security awareness. Studies show that awareness shift the perception of risk. In general you are aware of a risk that is close to you or of an event that you experienced before, this would drive risk mitigation decision and investment on security. Statistics from OWASP for example shows that organizations that have experienced a public data breach spend more on security in the development process that those that have not.

Basically a breach or an occurred event drive risk awareness and is an important factor in risk mitigation decision and security spending, the relationship of bad events to risk perception is also confirmed by cognitive science,… events that have been experienced before are easily brought to mind are imagined and judged to be more likely than events that could not easily imagined and never occurred.

Another important aspect of risk is what is referred as the appetite of risk or being risk adverse because of a potential gain. In general humans are risk adverse with respect to gains such as preferring a sure thing over gamble with a potential loss and taking a risk in the event the loss is small comparing with the potential gain. Consider for example risk perception biased by human greed. Sometimes risk decision are blind of potential losses because of lack of due diligence on what losses can be. This is what someone refer as taking the risk as being the chicken or being the hawk. Another way to think about risk vs. gain is to rationalize what is the residual risk left if an event would occur where the probability of the event can be estimated based upon real incident/events data. In essence is the what I could loose factor for the business gain of taking the risk. This require being able to visualize and articulate the risk event and simulate the losses that would occur if the event would materialize. In my day to day job for example I would use the threat scenarios and simulate the event of a loss to make the point to the business of the potential loss due to the exploit of a vulnerability.

Threat and risk modeling can be a useful way to visualize an attack, which threats an attack might materialize, the vulnerabilities that can be exploited and how these vulnerabilities can cause an impact. Nevertheless, even if the threat scenario is visualized, the decision of whether to deploy a countermeasure or not is a risk judgment decision that is biased by business factors such as usability, customer impact and even with visualized threat scenario showing the risk potential, perception could still be such as that risk would be acceptable. If the threat scenario applies directly to a real event or incident that occurred before most likely the associated risk won’t be accepted as well as if the threat scenario applies to a compliance risk event that could be found by the incoming audit.

In essence, for certain organizations, previous incidents and audit findings can drive security decisions more then threat assessments such as using risk analysis and threat modeling.

Another important factor of perception of risk is whether the risk impacts an organization or an individual responsibility directly or indirectly independently from the fact that the event occurred or not. If the impact is direct such as in the case of assuming the liability for the loss of a bad event occurring risk awareness will be higher then if is indirect and happen to a third party would be considered a non-liability.

In essence to make the cased for risk you need to consider how risk can be differently perceived by the business factoring fear as related to loss and rationalize residual risk as related to business gains. If the organization is fear driven in risk decision making including data from previous incidents and fraud that the companies experienced before can help to drive security awareness as factor of risk mitigation. If the organization is audit driven use the audit findings and non-compliance liabilities and made the case for mitigation.

Ultimately the adoption of security initiatives and security spending can be driven with informed risk decisions using threat models and risk factors such as likelihood and impact but also by factoring perceived security and risk vs. actual/real security and risk.

find the cost of your paper

Sep 13, Grand Remembrances

Today is Grandparents Day in the United States. Being a Grand is a special honor. I feel very blessed that my wife and I have two grandchildren. We were able to visit them today. Yes, we are still being cautious with the coronavirus, but we also find it very difficult to not see them when they live so close. So today we did drop by to visit Jacob (age 10) and Sophia (age 7) along with their parents. We brought donuts and caught up with them. Our grandchildren are still pretty young and this is a precious time in their lives – and ours!

I wish I had known my grandparents better. We never lived in the same place. Dad was a career Air Force pilot, so we moved around a lot. But we did get to see them once in a while when they would visit us, or we them.

A Plague of Giants

There are five known magical ‘kennings’ or types: air, water, fire, earth, and plants. Each nation specializes in of these kennings, and the magic influences the society. There’s a big pitfall with this diversity of ability and locale–not everyone gets along.

Enter the Hathrim giants, or ‘lavaborn’ whose kenning is fire. Where they live the trees that fuel their fire are long gone, but the giants are definitely not welcome anywhere else. They’re big, they’re violent, and they’re ruthless. When a volcano erupts and they are forced to evacuate, they take the opportunity to relocate. They don’t care that it’s in a place where they aren’t wanted.

I first read Kevin Hearne’s Iron Druid books and loved them (also the quirky The Tales of Pell), so was curious about this new venture, starting with A PLAGUE OF GIANTS. Think Avatar: The Last Airbender meets Jim Butcher’s Codex Alera series. Elemental magic, a variety of races, different lands. And it’s all thrown at you from page one.

But this story is told a little differently. It starts at the end of the war, after a difficult victory, and a bard with earth kenning uses his magic to re-tell the story of the war to a city of refugees. And it’s this movement back and forth in time and between key players in this war that we get a singularly grand view of the war as a whole. Hearne uses this method to great effect.

There are so many interesting characters in this book that I can’t cover them all here. Often in books like this such a large cast of ‘main’ character can make the storytelling suffer, especially since they don’t have a lot of interaction with each other for the first 3/4 of the book–but it doesn’t suffer, thankfully. And the characterization is good enough, despite these short bursts, that by the end we understand these people and care about what happens to them.

If there were a main character it would be Dervan, a historian who is assigned to record (also spy on?) the bard’s stories. He finds himself caught up in machinations he feels unfit to survive. Fintan is the bard from another country, who at first is rather mysterious and his true personality is hidden by the stories he tells; it takes a while to understand him. Gorin Mogen is the leader of the Hathrim giants who decide to find a new land to settle. He’s hard to like, but as far as villains go, you understand his motivations and he can be even a little convincing. There’s Abhi, the son of hunters, who decides hunting isn’t the life for him–and unexpectedly finds himself on a quest for the sixth kenning. And Gondel Vedd, a scholar of linguistics who finds himself tasked with finding a way to communicate with a race of giants never seen before (definitely not Hathrim) and stumbles onto a mystery no one could have guessed: there may be a seventh kenning.

There are other characters, but what makes them all interesting is that they’re regular people (well, maybe not Gorin Mogen or the viceroy–he’s a piece of work) who become heroes in their own little ways, whether it’s the teenage girl who isn’t afraid to share vital information, to the scholars who suddenly find how crucial their minds are to the survival of a nation, to the humble public servants who find bravery when they need it most. This is a story of loss, love, redemption, courage, unity, and overcoming despair to not give up. All very human experiences by simple people who do extraordinary things.

Hearne’s worldbuilding is engaging. He doesn’t bottle feed you, at first it feels like drinking from a hydrant, but then you settle in and pick up things along the way. Then he shows you stuff with a punch to the gut. This is no fluffy world with simple magic without price. All the magic has a price, and more often than not it leads you straight to death’s door. For most people just the seeking of the magic will kill you. I particularly enjoyed the scenes with Ahbi and his discovery of the sixth kenning and everything associated with it. But giants? I mean, really? It isn’t bad enough fighting people who can control fire that you have to add that they’re twice the size of normal people? For Hearne if it’s war, the stakes are pretty high, and it gets ugly.

The benefit of the storytelling style is that the book, despite its length, moves along steadily (Hearne is no novice, here). The bits of story lead you along without annoying cliffhangers (mostly), and I never got bored with the switch between characters. It was easy to move between them, and they were recognizable enough that I got lost or confused. The end of the novel felt a little abrupt, but I guess that has more to do with I was ready for the story to continue, despite the exiting climax.

If you’re looking for epic fantasy with fun storytelling and clever worldbuilding, check out A PLAGUE OF GIANTS.

The post A Plague of Giants appeared first on Elitist Book Reviews.

The Artwork Of Gary Choo

Gary Choo is a concept artist/illustrator based in Singapore. I’ve know Gary for a good many years ( 17, actually ), working together in animation studios in Singapore like Silicon Illusions and Lucasfilm. Gary currently runs an art team at Mighty Bear Games, but when time allows he also draws covers for Marvel comics, and they’re amazing –

The Art Of Gary Choo
The Art Of Gary Choo
The Art Of Gary Choo
The Art Of Gary Choo
The Art Of Gary Choo

To see more of Gary’s work or to engage him for freelance work, head down to his ArtStation.

The post The Art Of Gary Choo appeared first on Halcyon Realms – Art Book Reviews – Anime, Manga, Film, Photography.