Flushing Away Preconceptions Of Risk - Thom Langford

uh as you can tell I am the little brand Kane Norway um I'm here we we pulled together a deck quite quickly so there will be a few mistakes in there I've already seen one which basically says this talk is being done in 3 months time rather than today but uh hey you know what's that between friends we're going to be talking about risk today now risk is something that we as humans are always going to be struggling with with you know our little sort of monkey brains in our head always struggle at this or monkey stroke reptile brains depending on which way you view Evolution we're going to be looking at do you know what we tested this and

it worked right they told me this was a Professional Organization try it again I never told you what we interpretation measurement treatment all that sort of thing now it is going to get intimate we're going to have some audience participation and you're going to find out things about each other that you may have wished you didn't really know especially the people right next to you but we'll get to that in just a moment let's look at what we're going to start with which is sharks and coconuts now and champagne corks now we know that sharks are really big and scary they've got rotating teeth they've been around for Millennia um I there's some weird statistic about sharks being older than

the moon or something like that they are killers there's no doubt about it right but we also know that you know shark attacks are fairly rare but that doesn't stop us and our little monkey brains and a little migdala and my head from getting a little bit scared about them but did you know actually we should be more scared of coconuts because coconuts kill more people than sharks every day in fact champagne corks kill more people than sharks every day or every year but when you look at a champagne cork if you're like me an alcoholic then you just get filled with a little bit of Joy if you look at a coconut and if like me

you love your food and you start to sell elevate a little bit it's a very different thing you think they're good things and you think sharks are really big and scary things but actually we should be more scared of sharks when you are sat on the beach underneath the coconut tree with a bottle of champagne ready to pop and you're laughing at your friend swimming in the shark infested waters guess which one of you is technically more at risk than the others now we know we know that sharks it's unlikely right we're probably exposed to more more coconuts than we are to sharks even in this country and even when you know even if a shark NATO were to happen

we'd be still more exposed to coconuts but there's other Stacks as well we should be aware of so Bears right Bears same sort of thing big scary a PO that will take your face off as soon as look at it but what's more dangerous one of these or one of these well I'll tell you right now he says pressing on a button there we go I'll tell you right now these are evil [ __ ] these things these things are more respons are responsible for more deaths in the USA than bears and I'm not talking about you know during child birth or something something like that I mean up to the age of four they killed more people than

Bears every year by orders of magnitude how many people were killed by bears last year do you think and if you want to be really fancy broken down by black and brown bears nearly four four people four people were killed by bears I think it was three by a brown by Brown well maybe might have been the same brown bear I don't know but three by brown bears and one by a black bear right yet and this I told you this is an old slide or an old deck 2017 but we know we know this is this is not changed right look at the stats for toddler shootings toddlers are responsible for signific this is nine months worth of

stats and we're already talking like 20 times the number of of deaths by toddlers now you can also say well actually fairness Bears don't have access to Firearms um although I think we should probably turn around the what is it the Declaration of Independence you know the freedom to to to bear arms let's change it to the freedom to arm bears and then see what they think but um we can see that there is a a huge discrepancy here bears but bears are you know we we take loads of precautions against Bears there are signs up in the park beware there are bears here make sure you've got some bear pepper spray they make pepper spray specifically for

Bears um they give you warnings about what to do they tell you that actually you should tie your shoelaces on your running shoes tighter so that you can run faster than your friend because you don't have to outrun the bear you just have to outrun your friends they tell you all of those things about when you meet a be don't tell you any of this during your anti-natal classes for children you know please keep Firearms out of the reach of your kids you'd think that would be quite a basic one so we see in this discrepancy in life where we think of risk as something that's actually really quite black and white when it's not we see that actually the

reality of risk is very different to how we kind of balance it in in our brains now I told you we were going to get um intimate here hands up those of you who flush the toilet with the lid up and I'm not talking about the seat that's a completely different talk about about diversity in infos sec I'm talking about the lid hands up those of you flush the toilet with the lid up come on let's just just let's be honest here flush every time all right so on average it's about and I've done this talk a few times it's roughly about half of the number of people in the in an audience flush the toilet with the lid up okay

now my mother always taught me to flush it with the lid down I don't what can I say um now what happens when you flush the toilet with the lid up can anybody tell me I heard I think osiz yeah do you know in how how many feet it can travel it's 12 feet in all directions uh not quite sure what's happen there I will carry on anyway so if it will aerosolize in up to 12T in all directions right and by aerosolizing that it's carrying thank you it's carrying uh you know fragments of poo and we with it right let's be blunt what else is in your in your bathroom bleach toothbrush toothbrush yay right

hands up those of you who brush your teeth with poo and we should be roughly the same people right now ens I see that nobody you know well only one really and you but there was one who who proudly put his hand up um yeah there's rule 34 of the internet for you my friend um um and we kind of know this right and it's you know that PO and we it goes over it goes over all the surfaces um they've done this with sort of um uh fluorescent or ultraviolet die Etc it does it literally covers everything and that's the thing about aerosolization you don't even necessarily feel the wetness as it were it is it just goes

everywhere and we should be worried about brushing our teeth with Pooh and we because there was um you know there was a study done in the University of Arizona uh Phoenix I think it was and yes somebody actually got paid for this who actually tried to look at the number number of um harmful bacteria per square inch on on toilet seats um but knowing this knowing that there is 49 harmful bacteria per square inch on the average toilet seat that doesn't even talk about your toothbrush I imagine many of you will think when you next go to the toilet Home you might put the lid down you might maybe I'll put the lid down you know that that weird guy kept

talking about poo and we on my toothbrush and I don't trust him he's probably followed me home and he's going to make sure I actually do it um so we should be worried 49 harmful bacteria per square inch on the average toilet seat it's pretty bad right well I mean your mouse has got 1,676 specifically uh harmful bacteria on it um so really you should be using your toilet seat as a mouse pad um your keyboards 3,295 uh your desk nearly 21,000 harmful bacteria per square inch are on your desk what's the worst one out of the lot desk hot desk yeah it's even worse your phone so on Monday cuz I assume you don't work from your desk at home but on

Monday when you go into your office or your home office or your ironing board or whatever it is you work off when you have your lunch at your desk whilst poling around in Excel and on your phone eating your lunch what's what's worse what's more likely to actually make you well brushing your teeth with p and poo and we or eating a sandwich at your desk for the numbers it's probably going to be eating a sandwich at your desk now which of you are now no longer going to eat a sandwich at your desk while working one right thank you there's I mean there's always one but but yes thank you but like I said hands up if

you think you probably might put the lid down on your toilet seat next time yeah a few more right why you're more like well I know he Mr rule 34 over here he's uh um you're more likely to do the thing that's actually going to be less effective for your health than you are the thing that you know you is going to allow you to live your life and do your job and uh I I categorize it what I mean by this is I put this into sort of three categories is if we go back to the Bears versus babies the Sharks versus coconuts we've got a perceived risk the perceived risk is a risk that yeah sharks are

scary coconuts are tasty uh I know sharks are very very dangerous but I know that I'm more likely to be killed by coconut but I get it you know my head tells me it's unlikely either way cuz I don't swim and I can't be asked I'm not a very good shot at the fair you know at the coconut shy so I very rarely eat coconuts and I definitely don't sit underneath a coconut tree very often so actually yes it's a risk more people might get killed by coconuts I don't have to worry about that that's your perceived risk you then have your hygiene risk now more of you said you are more likely to put your lid down on your

toilet than you are to stop eating lunch at your desk that's a perceived risk it's not you're not addressing a real risk this is a risk that's in your head it is a much much lower risk that you are going to get sick from brushing your toothbrush while you keep your brushing your tooth with a toothbrush in a bathroom with the lid up on the toilet than you are from eating you know your lunch at your desk it's much much less likely but you're still going to fix it it's hygiene it feels like the right thing to do and then you get the actual risk and very often we miss the actual risk in favor of a hygiene risk and I

think when we when we have to look at risks in an organization it's very easy for us because of our simple monkey brains excuse me because of our simple monkey brains to actually start treating the hygiene risk we think we're smart because we recognize the perceived risk but we only treat the the hygiene risk not the actual risk and we're going to come on to some more of those examples now now some of you may know a chap he's he's done a bunch of videos guy called Javad Malik he's somebody who I'm proud to call I'll look back on and proud to call someone I once knew um but he came up with this part of his book uh for the

cwsp exam he he wrote a book that helped you pass the exam he came up with this Malik risk model which was basically it's a it's a it's a two-dimensional grid and in order to help people understand this concept he likened it to a pub fight which I thought was actually quite you know quite good because you know well we're in a we're in a student location we're in a university here so everybody's been a pub fight at some point in their lives right um I like this I I took it and I developed it and I stole it although I did put his name on it as well and I turned it into this The

Langford Malik risk model where I actually applied some ISO 2705 measurements to it now this is the old standard the new standard is looking more at uh objective Financial Risk measurement this is the older standard tended to look at the the the the more subjective View and and this kind of red Amber green view is still used by many organizations today NASA use it for a lot of their decisions uh those of you who are interested in that sort of thing there's a guy called Wayne hail who does a Blog just do a search for Wayne hail blog uh he was a NASA flight controller Etc he talks about risk and all that it's absolutely fascinating that's where

I found out they use I think it's a 9 by9 grid um but this grid is this grid is slightly different so it talks about the likelihood of threat the ease of the exploitation so you know I'm a ninja I'm a drunk ninja or I'm just drunk one or the other uh the likelihood it ain't happening it's on holy crap and then assets because we have to think about our assets right what are what are the assets we're trying to protect ranging from arm leg chest face testicles we've got to take into account every single thing right in in ra Rising order of uh importance one might say um you know with a face like mine mine

but face should be much higher I think but there you go uh and we see this sort of natural breakdown of when you combine the three you get a slightly less onedimensional view of risk and we can we can rank that risk of green Amber and red very good yeah and that's not so bad right now then we come to the element of risk appetite and this is the problem many many organizations their um their their risk teams will have grids like this it doesn't kind of really matter as long as everybody's singing from the same hbook really exactly what's what they'll have their all of these mechanisms in place they'll have the color schemes Etc what they

struggle with though is risk appetite risk appetite changes it can change daily it can I'm sure risk appetite for some organizations changed at roughly 9:00 a.m. last Friday Friday morning funly enough um so risk appetite changes now for instance if you're a young 18 to 24 year old going out on the booze this is probably what your risk profile looks like right little bit of a tussle little get a little bit handsy that's a sign of a good night for many many people when you get to you know a tender age such as mine your risk appetite is a little bit more sort of you know cocoa and HX by 9:00 clock than anything else but the

risk appetite does shift and we need to understand what that is a hugely complex it's something that requires an awful lot of conversation awful lot of understanding when we then just turn this into the simple ISO measurements techniques you're scoring from 0 to 8 Etc um it's again like I say it's it's not one dimensional it's a little bit more two-dimensional there's more to it than this but it's a very good good place to start especially if you don't really know where you're going with it and it also uses only three colors which means that boards and Executives love it because you know they've got they got the color range of your average Labrador let's face it and if it's not green

Amber or red they're not particularly interested so it's it's a good way of actually transitioning and and educating people is to not let's not worry about this let's worry about this now the problem with that of course is that you end up with the rag system right the red Amber green got remember when I got to press the button on this one and even when I do press it there we go you get the red Amber green thing right which is great but nobody really wants to score Everything Green right because it means no more budget if everything's green we can't spend any more money cuz why there's no more risks right but then also nobody wants to

score it as red cuz they're going to get f well you fix this and so everything therefore becomes a little bit Amber um just if you're not careful it comes as a little bit Amber as a result of it and that's quite challenging especially when you throw into the mix the concept of these the Black Swan right I was going to say does everybody know what this is but the average answer is it's a black Swanton what do you think it is um but we all know what these are Nicholas SE tor's book The Black Swan the Black Swan as as a book about an inch and a half thick which basically says a Black Swan

event is something that only after the fact is it obvious that it was going to happen that's that's the the cliff notes of it and the problem with risks is it doesn't matter how much you measure them how much you red Amber green them or whatever almost always the thing that kills you is the thing that you never ever saw now a little bit more audience participation I'm pretty sure I found the right slide I got it wrong last time I did this which industry is really good at measuring risk financial services are uh 2008 called and they want to get back to you yeah maybe gambling thank you very much this man wins the prize yay um in in this

book in this uh Black Swan book uh taleb was talking to the security and risk officers of some of the large casinos in the world um I think they were all in Vegas In fairness and they came up with some amazing scenarios which nobody foresaw for instance one Casino they had a guy whose job was to fill in tax notification forms for the big Winners so somebody wins a million dollars it's incumbent on the casino to inform the um uh the tax service in the US not hmrc the the other ones IRS IRS thank you um to to inform the IRS that somebody has one money this person diligently filled in the forms and filed them in a box

under his desk for eight years didn't inform the IRS therefore the casino was actually fined for not informing the IRS you employ somebody to do the job you assume they're going to do it right uh another one the the casino was building um massive amounts of construction one of the construction workers was fired for being drunk on duty or or whatever they found out 6 months later the night before the casino was going to go live at its launch they found some plastic explosives strapped to one of the supporting pillars that this this construction worker had decided to put on there because he had he took Umbridge with the fact that he was fired I mean it's quite a difficult one

to to count as and finally the the other one I'm thinking of one of the owners his son was kidnapped and the casino company got together and said don't worry we'll pay the ransom not a problem at all we'll pay the ransom they paid the ransom and then the uh US Government finds the casino I think it was $7 million for paying the ransom and the ransom was something like $4 million I think it was you know how do you actually come up with some of these risks in your risk register it's incredibly difficult to do that uh and you know how do you actually not only identify them we're going to come to that in a moment how do you identify

them but also how do you treat that kind of risk as well so let's let's let's move on a step so chimpanzees not a monkey chimpanzee you may have heard this I have heard on both sides this is either a madeup story or is an actual scientific experiment but you may have seen it they get five chimpanzees in a room they put a banana at the top of a ladder chimpanzee walks up the ladder grabs a banana they soak the room in cold ice cold water and they do that every time a chimpanzee walks up and grabs a banana so what happens they all sit around at the bottom of the ladder looking at the banana but definitely not

going up for it they take one wet chimpanzee out and put a dry one in what does the dry one in do he goes straight up the ladder what do the other chimpanzees do they beat him up because they do not want to get soaked and they continue to take out a wet one and put a dry one in until there are all five dry chimpanzees in there who do not go up the ladder and they have no idea why but they know not to go up the ladder and this is the well we've always done it this way and this is where again our interpretation and our measurement of risk comes into question because

we've always measured it this way we've always done this process this way we've always you know some of the most dangerous words in in in security as a result great example of this is the lock lead does everybody remember the lock lead uh we spent thousands and thousands on these lock leads back in the day when laptops were expensive and we didn't want them stolen uh I remember myself I was a massive proponent of it I used to stand up in front of the company and say you must use a lock lead you can't not use a lock lead and here's why cuz your laptop gets stolen we have to spend a lot of money replacing a laptop Etc the

laptop lock lead has become utterly redundant and we know this simply because of this dis encryption right because now that commodity of uh a laptop being stolen is not an issue it's the the the cost the risk is not in the laptop the risk is in the data on the laptop top and I actually worked out I was spending more on lock leads than I was on Lost laptops over a 3year period now uh and we took the lock leads away and we didn't spend any more money on Lost laptops but we carried on for a long time just putting lock leads on because it's the policy it's what we've done that's how we've always done things

everybody has a lock lead um it didn't matter how much the business said oh it's stopping us from being creative and flexible and all that and US security folks are going oh blah creative who needs creativity you know it was literally stopping them from just lifting a laptop off and going into a meeting room so they just wouldn't bother you know that sort of thing it's a small thing but actually the moment you remove the laptop lock lead because your encryption is protecting the thing that's important is the moment when actually your processes move forwards and move forwards with the business obviously see there are edge cases for a lock lead but 99% of them are now no longer

needed and you take away you know you take away lock leads do you expect your um you know your thefts to rise well no not really but they don't or maybe you know or you change education on it do you expect um you know your incidents to go down maybe maybe not and this is where again where we have to look at the um uh the the the cause and effect of the actions we take within our organization around causation versus correlation you've probably seen this this is from Tyler vegan's website um and what it talks about excuse me is for instance the blue line here is the per capita consumption of cheese in the US can you guess what

the green line is yes it's actually the number of people strangling themselves in their own bed sheets so do places that eat more cheese Dy more often you know through strangulation are they having more vivid dreams who knows no it's totally unrelated just like the number of films released by Nicholas Cage in a year is correlated to the number of water deaths in the US Eastern Seaboard right got nothing to do with each other but it's very easy to say hey if we remove laptop lock leads and we see an increase in laptop theft we need to therefore put more lock leads on the two are potentially entirely unrelated entirely unrelated because you have to look deeper into it are are the

thefts as a result of the lock lead not being used or is it theft from a car from a house Etc or from a pub you know I hands up somebody who's lockleed their laptop in a pub well before I was a exactly there we go there we go before that strategic thinking Gene kicked in right so here we come to a gradual close where we talk about therefore how the hell do we deal with this you're saying that we can't measure risks very well we're not very good at it and when we do measure risks it's it's it's only in three primary colors and therefore it's problematic when we measure it and it never really makes sense and anyway

you're telling us that the process we're using for measuring risk is probably out of date and even when we do measure risk and then measure some other inputs against it it's probably correlation and not causation where are we well the key thing here is the flexible risk response and when we write up risk registers we do risk registers because they are useful there's no doubt about that they're especially useful if your ISO 2701 certified or whatever certified because that's the first thing they look at um but they are useful because they allow you to measure a sort of a risk profile of your organization excuse me a risk profile of your organization but what they don't do

is necessarily tell you what you should be protecting or how you should protect it or how you should respond to it and so you do need this somewhat flexible risk response which is a basically saying when you are invoking your Incident Management process because a risk has actualized and something has gone wrong and you respond to that actualized risk at the end of it that incident management process needs to feed back into your risk management process these are not to entirely separate never shall speak to each other teams these are two tightly integrated teams because The Incident Management teams are dealing with the actual risks not the perceived risks not even the hygienic risks or the

hygiene risks they're dealing with the actual risks because they're the risks that have actually happened and gone wrong you take their learning and apply that to your risk register to apply a little bit more critical thinking to ascertain how accurate in reality is your risk register having seen risk registers that say attack by wild dogs as a risk you you know these these things happen these these kinds of approaches happen so we by taking this Incident Management approach uh learnings feeding it into your risk management approach and then allowing your Incident Management team to look at the risk register and say we need to start practicing against some of these scenarios not the one that Kevin just

thought up because he read about it in the newspaper we need to look at the the ones that we think are actually going to happen and this cyclical nature actually allows you to make better judgments on your risk assessments and your risk measurements better judgments on your Incident Management testing and procedures and activities and the ual incidents and you get a continual feedback loop as a result so the key takeaways here are when you look at something as a risk think about your perceived your hygiene and your actual risks is it an actual risk or or am I just fixing it because I'm I'm thinking h brother no I don't want to do that you know let's is it a

real risk also spot patterns in your risks over time is it has has the has the outlier risk the Black Swan risk for instance distributed dalala service 10 to 15 years ago was a Black Swan event they Anonymous and their low orbit ion cannon was a Black Swan event when it happens nobody had any idea how to address it how to deal with it dos nowadays is is barely a blip I mean they don't even phone the ciso dos anymore right it's just a it's just a sock event that's managed because we've dealt with it we've seen it before it's a commodity recognize the difference between that what is a potentially a Black Swan or at

least afterwards a Black Swan and what is an a real commodity risk yeah and understand those differences and also just because a risk has been mitigated um sorry I'll rephrase that just because a risk um hasn't happened doesn't mean it hasn't been mitigated just because um your you know you haven't had an uptick in lost or stolen laptops doesn't mean that you have solved that issue it could just be a statistical bit it could be a a a a a correlation activity it could just happen to be that the you know your your increased use of lock leads has resulted in a in a drop in laptop uh thefts and vice versa so think about the two make

sure that there isn't a placebo effect that you've decided actually we've put this fix in place we know what we and we've seen a stat and therefore it's fixed we don't have to worry about it that's the end of the talk uh you can well I'm pretty sure we've got time for questions now I don't know how much time we got left four or five minutes four five minutes okay um you can also catch me here uh and if this room doesn't know how to find out who I am or how to contact me outside of this then we're screwed as an industry um especially as I have no oent skills whatsoever so I'm all over the Internet um but in the

meantime we can take any questions if anybody has any Mr rule 34 say you're ahead of the C and you see a risk happening in the future but your company doesn't consider that risk you're thinking outside the box how would you um the risk in a way which they understand obviously it's not a yellow what's the best behind creative storytelling uh slightly tongue and cheek but actually creative storytelling and I don't mean Jack andori I do mean being a little bit more uh research based statistic based but also painting a picture for them uh many years ago we're talking about the early '90s we put in a lease line at a company I was working at um brand new everybody was on

individual dialogue put in a lease line company said we don't need a firewall F nobody knows who we are um so I downloaded I think it was their anniversary recently The Cult of the dead cow tools um and basically broke the leadership team's passwords on their usernames uh and I dialed in from home intercepted traffic broke them put them in a safe printed them out on a safe only two of them came up after the second person came up open the envelope and saw it was their password they then approved the um the funds that we weren't approved before creative storytelling think of different ways in which you can put the point across and show them the impact of it it's a very

broad you know cuz there is no no black and white solution right but you have to try and get a little bit more out of the box any other questions awesome thank you very much