Humans are Horrible at Risk Management. Humans are Awesome at Risk Management. Humans are horrible at risk management! Have you seen the news about Florida Man? How are we even still around? And yet, we are still around. In fact, humans are awesome at risk management; we’re now the dominant species on the planet. Why? How? Andy will share his thoughts on why humanity has significant advantages in making rapid, generally correct risk choices. You will learn how risk choices that appear unreasonable from the outside may not be; to identify the hidden factors in someone’s risk choice that most influence it; find out how to help guide people to risk choices that you find more favorable.

1. @CSOAndy
Humans and Risk
Andy Ellis
@csoandy
www.csoandy.com

2. @CSOAndy
Why do people make incomprehensible decisions?
SecurityProduct
Owner
Anyone can be a villain in someone’s story.
Modal
Bias!

3. @CSOAndy
A business conversation?
Here is my
project. Is
it safe?
Here is my
dangerous plan!
Sign off on it!
Here’s an ISO
checklist! Fill it
out!
Justify infosec
budget with this
makework!

4. @CSOAndy
A business conversation?
What do these
phrases mean?
I can’t be
bothered to
understand this.
We’ll fill it out
for you.
We’ll do the
work, just give us
more budget!

5. @CSOAndy
A business conversation?
Is it done yet? All I care about
is my schedule.
Why didn’t you
use ChaCha20-
Poly1305?
I’m smarter than
you are, and I
know big words.

6. @CSOAndy
A business conversation?
Is that a
showstopper?
I’m going to do
this no matter
what….
No, but we don’t
recommend
launch.
I’m just CYA over
here. You’re fine,
but I won’t admit it.

7. @CSOAndy
Humans are
at risk management.
badatrociousawfulconfusingincompetentincomprehensiblehorribleperplexing____________
@CSOAndy

8. @CSOAndy
Humans are
at risk management.
awesomeawful
@CSOAndy

9. @CSOAndy
Observe Orient Decide Act
Attention Processing Executive
Function
Coordination
O O D A
#KeyTakeAway
Decision Making: The OODA Loop
@CSOAndy

10. @CSOAndy
Why do people
make
decisions?
“stupid”incomprehensible“bad”
@CSOAndy

11. @CSOAndy
CONSTRAINTS
ATTENTION
Proximity
Novelty
Urgency
MODELS
Context
Framing
Expectations
RISKS
Costs
Fears
Expected outcomes
TRAINED RESPONSES
Practice
Repetitive
Low risk
HAZARDS
Distributed social
networks
Fast information flow
Virtual proximity
Confirmation
bubbles
Hindsight
expectations
Obscure costs
Complex returns
Repurposed
responses
Dunning-Kruger
O O D A
The Power of Models

12. @CSOAndy
CONSTRAINTS
ATTENTION
Proximity
Novelty
Urgency
MODELS
Context
Framing
Expectations
RISKS
Costs
Fears
Expected outcomes
TRAINED RESPONSES
Practice
Repetitive
Low risk
HAZARDS
Distributed social
networks
Fast information flow
Virtual proximity
Confirmation
bubbles
Hindsight
expectations
Obscure costs
Complex returns
Repurposed
responses
Dunning-Kruger
O O D A
The Power of Models

13. @CSOAndy
Historical paranoia
“Monkey on rope ladder” by Rachel Coleman Finch is licensed under Creative Commons 2.0 Generic
| @CSOAndy

14. @CSOAndy
Prisoner’s
Dilemma
Actual Prisoner’s
Dilemma
Different communities
have different
expectations!
If we believe our
“partner” will cheat on
us, we’ll cheat first.
Loyal
Betray
-3
-1
-3
-10-10
-5
-1
-5
30%
19%
13%
40%
Loyal
Betray
Loyal
Betray

15. @CSOAndy
CONSTRAINTS
ATTENTION
Proximity
Novelty
Urgency
MODELS
Context
Framing
Expectations
RISKS
Costs
Fears
Expected outcomes
TRAINED RESPONSES
Practice
Repetitive
Low risk
HAZARDS
Distributed social
networks
Fast information flow
Virtual proximity
Confirmation
bubbles
Hindsight
expectations
Obscure costs
Complex
returns
Repurposed
responses
Dunning-Kruger
O O D A
Risky Business

16. @CSOAndy
Hazards used to be simple…
@CSOAndy
“Attention Walmart Shoppers” by Robert Couse-Baker is licensed under Creative Commons 2.0 Generic

17. @CSOAndy
So we think risk calculations ought to be easy
Loss $5M $5B
Probability 10% / year .01% / year
ALE $500K $500K
Price of buying $50K $50K
Maintenance $14K $14K
Reduction in events 10% 10%
Cost $26K / year $26K / year
Risk Reduction $50K / year $50K / year
Savings $24K / year $24K / year

18. @CSOAndy
Qualitative Risk Matrix
High
Damage
Moderate
Damage
Low
Damage
Very Likely Priority 1 Priority 2 Priority 5
Likely Priority 3 Priority 4 Priority 7
Unlikely Priority 6 Priority 8 Priority 9

19. @CSOAndy
High
Damage
Moderate
Damage
Low
Damage
Very Likely Priority 1 Priority 5
Likely
Unlikely Priority 6 Priority 9
Qualitative Risk Matrix

20. @CSOAndy
… but now risks are more complex.
Image Source: Jeep®
@CSOAndy

21. @CSOAndy
Cost Context Matters
You are given one opportunity
to play a game.
A fair, 20-sided die will be rolled.
You bet X; if your number is rolled,
you keep your bet, and get back
20X; otherwise, you lose your bet.
Your expected payout is thus 1.05.
Would you bet $1?
Would you bet $10?
Would you bet $100?
Would you bet $1,000?
Would you bet $10,000?
Would you bet $100,000?
Would you bet $1,000,000?

22. @CSOAndy
“You don’t know what you’ve got ‘til it’s gone.”
@CSOAndy
You value something by
what you give up to get it.

23. @CSOAndy
Peltzman Effect
Coffey, Seamus. “The Peltzman Effect.” Microeconomics and Behaviour, October 2010, microeconomicsandbehaviour.blogspot.com/2010/10/peltzman-effect.html
RISK
REDUCTION
PERCEIVED
RISK

24. @CSOAndy
CONSTRAINTS
ATTENTION
Proximity
Novelty
Urgency
MODELS
Context
Framing
Expectations
RISKS
Costs
Fears
Expected outcomes
TRAINED RESPONSES
Practice
Repetitive
Low risk
HAZARDS
Distributed social
networks
Fast information flow
Virtual proximity
Confirmation
bubbles
Hindsight
expectations
Obscure costs
Complex
returns
Repurposed
responses
Dunning-Kruger
O O D A
The Spotlight

25. @CSOAndy

26. @CSOAndy@CSOAndy
Image Source: Simons, D. J., & Chabris, C. F. (1999). Gorillas in our midst: Sustained inattentional blindness for dynamic events. Perception, 28, 1059-1074

27. @CSOAndy@CSOAndy

28. @CSOAndy

29. @CSOAndy
CONSTRAINTS
ATTENTION
Proximity
Novelty
Urgency
MODELS
Context
Framing
Expectations
RISKS
Costs
Fears
Expected outcomes
TRAINED RESPONSES
Practice
Repetitive
Low risk
HAZARDS
Distributed social
networks
Fast information flow
Virtual proximity
Confirmation
bubbles
Hindsight
expectations
Obscure costs
Complex
returns
Repurposed
responses
Dunning-Kruger
effect
O O D A
The Response Playbook

30. @CSOAndy
System 1 vs System 2
LEFT
RIGHT
LEFT
RIGHT
LEFT
RIGHT
LEFT
RIGHT

31. @CSOAndy
System 1 vs System 2
LEFT
LEFT
LEFT
RIGHT
RIGHT
LEFT
RIGHT
RIGHT

32. @CSOAndy
CONSTRAINTS
ATTENTION
Proximity
Novelty
Urgency
MODELS
Context
Framing
Expectations
RISKS
Costs
Fears
Expected outcomes
TRAINED RESPONSES
Practice
Repetitive
Low risk
HAZARDS
Distributed social
networks
Fast information flow
Virtual proximity
Confirmation
bubbles
Hindsight
expectations
Obscure costs
Complex
returns
Repurposed
responses
Dunning-Kruger
effect
O O D A

33. @CSOAndy
Humans are
awesome at risk management.
situationally
@CSOAndy

34. @CSOAndy

35. @CSOAndy
CONSTRAINTS
ATTENTION
Proximity
Novelty
Urgency
MODELS
Context
Framing
Expectations
RISKS
Costs
Fears
Expected outcomes
TRAINED RESPONSES
Practice
Repetitive
Low risk
HAZARDS
Distributed social
networks
Fast information flow
Virtual proximity
Confirmation
bubbles
Hindsight
expectations
Obscure costs
Complex
returns
Repurposed
responses
Dunning-Kruger
effect
The End of the Right Situation?
#KeyTakeAway
O O D A

36. @CSOAndy
Improvement through Adversarial Learning
A D O O
O O D A

37. @CSOAndy
A D O OInjection
Stealth
Misdirection Maneuver
O O D A
OODA Attacks
Mistakes
Paralysis
Distraction
Blindness
Complacency
Confusion
Ineptitude
Surprising
Misleading

38. @CSOAndy
Improvement through Introspection
A D O O
O O D A

39. @CSOAndy
OODA Improvements
O O D A

40. @CSOAndy
OODA Improvements
O O D A
Noise
reduction
Instrumentation
Hazard
review
Model analysis
Bayesian
retrospection
Planning
Impact
assessment
Training

41. @CSOAndy@CSOAndy
ANSWERS?
Andy Ellis
@csoandy
www.csoandy.com

42. @CSOAndy
Copyright Notification
• Akamai Logo (Triple Wave Swoosh and Akamai Name) and Tagline are copyright
and registered marks of Akamai. Slide template copyright Akamai.
• All photos marked with copyright information, unless they are in the public domain.
• All other content and assembly is licensed under the Creative Commons 2.0
Attribution License (CC-BY). Non-binding expression of intent: if you’re inspired by
this, and just create your own, no attribution required. If you’re copying graphics,
Stephanie Sullivan of Akamai is the originator. If you’re copying texts, Andy Ellis of
Akamai is the originator. (Note: If you’re copying photos, their copyright holds).