Risk perceptions and historical data

A couple of years ago a UK town council banned hanging flower baskets from public display because of the thoeretical risk that they might fall down and hit someone on the head. You can read the story here. I wonder if this is any more an absurd scenario than the one where an American, talking about his PDA, considers “What happens if I leave it in a phone booth when I’m running to a plane and my competitor picks it up?” as detailed in this article: https://www.networkworld.com/reviews/2000/0320pda.html.

Mr. Paranoid in the above quote should take more care of his toys, and if he has the sort of job where people are chasing after him in the hope that he’ll drop something of value then he probably shouldn’t be talking about it. However, when we are considering risk scenarios, where are the checks to prevent us trying to waste our time implementing mitigating controls where we really don’t need them?

Presumably Bury St Edmunds council had researched statistics of hanging basket related trajedies before they decided that the best risk mitigation would be to remove them altogether (as opposed to perhaps using longer bolts or tougher rope). Now, if there could be found some history of people receiving knocks on the head from falling basket-based fauna then this pro-active reaction is understandable.

Are we prone to taking similar knee-jerk reactions within the information security realm based on non-existant or poorly understood risks? I’d like to think that this isn’t the case but a lack of historical data around many of the risks that we consider means that our judgements often have to be based on qualitative opinions rather than quantatitive facts. The danger is that we will end up crying wolf as described by David Lacey over in his blog rather than actually mitigating risk.

There are a number of reasons why we don’t have much in the way of historical data to rely on when constructing risk models: for instance some of the risks simply didn’t used to exist as we relate them to electronic systems. Another is that organisations have not maintained information security related metrics relating to various bad outcomes, or where metrics have been kept these remain company secrets and are not shared outside of the organisation.

The result is that sometimes we are likely to take unnecessary action and remove a perceived threat even though the assessed risk has never actually been recorded to occur. So, hanging basket lovers everywhere, should be climbing those wobbly step-ladders and taking them down….