Once you have calculated risk to present to decision makers, your job is not yet done. The data you present is perceived through cognitive filters before a decision is made. Near-Miss Bias is a cognitive bias that affects risk decision-makers in particular and Risk Professionals need to know how to communicate risk in such a way as to account for this effect.
1. HOW NEAR-MISS BIAS AFFECTS
RISK-BASED DECISIONS
JORDAN SCHROEDER, CISSP, CISM
2. INTRO
WHO AM I
▸ Member of the GRC team at Visier, Inc
▸ Moderator of Security StackExchange
▸ Former teacher, actor, singer, director, Coast Guard Officer,
undertaker, database designer, tax preparer, business owner,
day trader
▸ http://www.linkedin.com/in/schroederjordan
▸ http://security.stackexchange.com/users/6253/schroeder
▸ https://gophishyourself.wordpress.com
3. INTRO
RISK IS NOT ENOUGH
▸ You’ve done your calculations
▸ You’ve drafted a clear report
▸ Your research shows that a Threat is not going away
▸ You present your report expertly to decision makers
▸ They make the wrong decision …
▸ Why??
4. INTRO
RISK IS NOT ENOUGH
▸ Data alone does not result in appropriate action
▸ Data is interpreted by the audience through a number of
filters
▸ Those filters determine the resulting action
▸ “Near-Miss Bias” is a unique filter that requires specific
handling
5. INTRO
THIS PRESENTATION IS A SUMMARY OF:
2008
How Near-Misses Influence Decision Making Under Risk: A
Missed Opportunity for Learning
Robin L. Dillon
Catherine H. Tinsley
McDonough School of Business, Georgetown University, Washington, D.C. 20057
6. INTRO
THIS PRESENTATION IS A SUMMARY OF:
2012
How Near-Miss Events Amplify or Attenuate Risky Decision
Making
Robin Dillon-Merrill
Catherine H. Tinsley
Mathew A. Cronin
McDonough School of Business, Georgetown University, Washington, D.C. 20057
9. WHAT IS IT?
COLUMBIA SHUTTLE DISASTER 2003
▸ Shedding of tank foam during ascent happened frequently
▸ Caused by debris hitting the tanks
▸ “With each successful landing, it appears that NASA
engineers and managers increasingly regarded the foam-
shedding as inevitable, and as either unlikely to jeopardize
safety or simply an acceptable risk.”
▸ (Columbia Accident Investigation Board Report, Volume 1, 2003, p. 122)
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A
Missed Opportunity for Learning Management Science, Articles in Advance
10. WHAT IS IT?
COLUMBIA SHUTTLE DISASTER 2003
▸ Probabilistic analysis performed in 1990 determined that
debris strikes could be catastrophic
▸ Foam loss occurred on 10% of flights
▸ Damage to foam every flight, with an average of 143
divots per flight
▸ How could this ‘obvious’ problem be overlooked?
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A
Missed Opportunity for Learning Management Science, Articles in Advance
11. WHAT IS IT?
NASA EXPERIMENT
▸ Information Management Business students (with training
in stats and probabilities) put through a simulation where
they have to navigate the Mars Rover from one crater to
another
▸ Each simulated day, given a weather report, the participant
needed to decide to stay or move on given the weather’s
chance of causing a wheel failure
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A
Missed Opportunity for Learning Management Science, Articles in Advance
12. WHAT IS IT?
NASA EXPERIMENT
▸ Those who ‘survived’ the risky choices were more prone to
making riskier decisions for the next day
▸ Even when presented with the probabilities afresh each
day, participants still incorporated the previous successes
into their decisions, even if they did not make as many
risky decisions
▸ When given the choice of knowing Near-Miss data or other
data, participants were less likely to seek other data
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A
Missed Opportunity for Learning Management Science, Articles in Advance
13. WHAT IS IT?
NEAR-MISS
▸ People tend see events as linked and not independent
▸ “hot streaks”
▸ People with Near-Miss information tend to skew towards
riskier decisions
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A
Missed Opportunity for Learning Management Science, Articles in Advance
14. WHAT IS IT?
NEAR-MISS
▸ People do not ignore the other data
▸ People use the data from the Near-Miss events as a source
of optimism
▸ More Near-Miss data exacerbates the problem
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A
Missed Opportunity for Learning Management Science, Articles in Advance
15. WHAT IS IT?
NEAR-MISS SPECULATION: BAYES
▸ Near-Miss data incorporated with statistical data
▸ Like an inherent Bayesian analysis
▸ “My successes were because the probabilities were
general and not applicable to my specific situation. My
probabilities are different.”
▸ (Stats) x (Near-Miss adjustment)
▸ version of the Gambler’s Fallacy
Dillon and Tinsley: How Near-Misses Influence Decision Making Under Risk: A
Missed Opportunity for Learning Management Science, Articles in Advance
16. WHAT IS IT?
INFOSEC NEAR-MISSES
▸ Viruses caught on endpoints
▸ Brute-force attempts
▸ “Background radiation”
▸ Phishing domains
▸ Vishing calls
17. WHAT IS IT?
INFOSEC NEAR-MISSES
▸ “We have never had a breach”
▸ that we know about …
▸ “All these alerts are just noise”
▸ Incident Response teams are absorbing a lot of budget in
hunting down all these false positives
▸ “They are just script-kiddies who don’t know what they are
doing”
▸ There is no real threat
19. MISS - COMMUNICATING
NEAR-MISS COULD BE INTERPRETED TWO WAYS
▸ Disasters that did not occur
▸ Resilient Risks
▸ “Yay! I didn’t die!”
▸ Disasters that almost happened
▸ Vulnerable Risks
▸ “OMG! I almost died!”
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events
Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
20. MISS - COMMUNICATING
RESILIENT RISKS
▸ Results in riskier behaviours
▸ Reduction in mitigating behaviours
▸ Explicit Likelihood calculations do not change
▸ merely quietly ‘enhanced’ with a Bayesian factor when
there is a call to action
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events
Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
21. MISS - COMMUNICATING
THE HIDDEN CALCULATION
▸ You present your risks
▸ You present your calculations
▸ Your audience agrees with it all
▸ Your audience quietly applies their own Bayesian Near-
Miss factor
▸ Your audience then decides
▸ budget, personnel, InfoSec projects, etc.
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events
Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
22. MISS - COMMUNICATING
PRESENT VULNERABLE RISKS
▸ If Near-Miss information was communicated as Vulnerable
Risks, (“we almost died!”):
▸ and if the audience accepts that framing
▸ the effects of Resilient Risks are countered
▸ more mitigating behaviours are used
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events
Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
23. MISS - COMMUNICATING
VULNERABLE CHALLENGES
▸ The audience might not accept your framing
▸ becomes a messaging issue
▸ Creates a tone of negativity (less fun, less value)
▸ The mitigations become devalued!
▸ The messenger becomes devalued!
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events
Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
24. MISS - COMMUNICATING
COMMUNICATING RISK
▸ Focus on the Probabilities
▸ Frame past events as independent and not a chain
▸ Focus on the potential impact
▸ Frame Near-Misses as Vulnerable Risks
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events
Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
25. MISS - COMMUNICATING
COMMUNICATING RISK - JORDAN
▸ Focus on Procedural Resiliency
▸ Combat Vulnerable Risk negativity by celebrating the
resiliency of the Risk process
▸ “Yay! We are surviving because we are using the right
mitigations!”
▸ Make insurance sexy
26. MISS - COMMUNICATING
COMMUNICATING RISK - JORDAN
▸ Our detective controls are working!
▸ IR teams have confirmed that our users, our data, and our
systems have not been compromised
▸ Our defences are effective against script-kiddies
▸ What are they not effective against?
28. MISS - ASSESSMENT
CHEAP DISASTERS
▸ Treating Near-Misses as Resilient Risks means that one
might ignore them
▸ Instead, treat them as Actualized Risks for purposes of Risk
Assessment
▸ Disasters that don’t cost the organization anything
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events
Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
29. MISS - ASSESSMENT
CHEAP TRICKS
▸ Often the same pre-conditions as a real disaster
▸ Easy way to identify hazardous conditions
▸ Encourage and reward the reporting of Near-Misses
▸ Helps to encourage an organizational culture of safety
Dillon-Merrill, Robin; Tinsley, Catherine H.; and Cronin, Matthew A., "How Near-Miss Events
Amplify or Attenuate Risky Decision Making" (2012). Published Articles & Papers. Paper 93.
30. MISS - ASSESSMENT
EXAMPLE IN INFOSEC
▸ A/V alerts that it caught a virus in an email attachment
▸ not executed, no actualized risk
▸ Every once in a while, treat it as though it was an actual
infection
▸ Run the Incident Response process
▸ great training for new members
▸ Identify all vulnerable areas that were involved
31. MISS - ASSESSMENT
EXAMPLE IN INFOSEC
▸ Recalibrate the Risk Assessments of that area
▸ Mitigate vulnerable areas
▸ Trains everyone involved
▸ Streamlines the processes
▸ Encourages a culture of safety
▸ Old-fashioned fire drill but with a real threat
33. SUMMARY
NEAR-MISS
▸ Past events seen as linked
▸ Near-Misses used to adjust probabilities
▸ Near-Miss data preferred over other data
▸ Used to justify riskier behaviours
34. SUMMARY
COMMUNICATING NEAR-MISS
▸ Focus on Probabilities
▸ De-link events
▸ Focus on potential harm
▸ Shift to Vulnerable Risks
▸ Focus on Procedural Resiliencies
▸ Combat negativity
35. SUMMARY
NEAR-MISS ASSESSMENTS
▸ Treat Near-Misses as opportunities
▸ Cheap Disasters
▸ Fire Drills
▸ Identify Vulnerable areas
▸ Communicate the importance of reporting Near-Misses
▸ Encourage a culture of safety