TwitterFacebookEmailRSS

Cybersecurity: Battling the Bruce Hornsby Effect

Last week I was applying my “finishing touches” on a cybersecurity presentation:  one last look at Twitter, glance at a feed aggregator & skim the day’s headlines.  Between breaking news on the Sony Pictures hack, progress on class action suits over the Home Depot compromise, and some continuing local coverage (in the Twin Cities) of the Target breach, there were plenty of updates.  I even worked in a Dennis Rodman slide.  This Sony thing is sort of his fault, after all (I kid.)  Regardless of the audience or the technical subject matter there’s always something in current events that updates the content on threat vectors, victim trends, cyber liability, regulatory landscape, etc.  Every time, with every presentation, some “breach du jour” or something related leads to an update in my deck.  It’s a steady diet of ubiquitous bad cybersecurity news that somehow hasn’t already led to effective steps to stem the tide of compromises.  I find that surprising – but should I?

A few days ago I was trying to wrap my head around the notion of “breach fatigue” vis-à-vis the average American.  I’m not just concerned with it affecting my neighbors next door, but also the fellow security geeks working in offices down the hall.  Case in point:  When news of Target broke, I was certain it was going to be the tipping point that would lead us down a path to change on a large scale (Spoiler alert:  sometimes I’m wrong about stuff.)  That was my conclusion, one I’ve aired more than a handful of times, and in the year-plus since it happened, a non-trivial number of colleagues have let me know they disagree.  Some common sentiments from those doubting Thomases:

– “Breach fatigue – there are just so many headlines that people start to tune it out.”
– “As long as it’s not costing the [consumers/company/shareholders] money, they don’t care.”
– “Sure, another breach, but nothing ever changes.”

In order, what about breach fatigue?  Are peers and colleagues really telling me, with a straight face, “There’s so much hacking that we have to ignore it?”  I stated last week I believe the root cause is that incident information is so inadequate and alternative options so scarce, it creates a “Bruce Hornsby Effect” (“That’s just the way it is, some things will never change”) in the average breach victim.  That may explain why there’s not an overwhelming groundswell of victims calling for substantive security changes, but what’s IT Operations’ excuse?  You’d sprain your brain trying to derive a clearer “canary in the coalmine” example of cyber threat trend analysis (or “Let’s say this Twinkie represents the normal amount of nefarious cyber activity…”)

Next comes the notion that breaches aren’t hitting pocketbooks and bottom lines.  I wrote last week about the difficulties the average consumer faces in calculating the costs of a breach.  But what about the hacked organizations themselves and their shareholders?  As a security guy, I know there are many ongoing efforts to track and quantify the cost of a breach – probably the most notable being the Ponemon Institute’s Annual Cost of a Data Breach Study (which places the 2014 average cost at $201 per record lost.)  Similarly, you can find staggering estimates around recent high profile breaches:  Home Depot warns that costs will surpass its initial $70M report, Sony’s two breaches account for over a quarter billion in losses over three years, and one Target estimate eclipses $1B.  But then you may notice something interesting, for companies reportedly hemorrhaging money post-incident, none of their stocks appear to be in an all-out freefall.  They trend down in short term response to the attacks, but all seem to mount comebacks that make you wonder if The Street really thinks these attacks are taking a toll.[i]  You would think loss figures with that many commas in them would constitute “bet your business” or existential threats, even for organizations of this size. But who’s really bearing the cost of the breach?  We’re seeing that payment card breaches drop the heaviest costs on issuing banks and many of the targeted retailers are drawing on cyber insurance policies to cover some, if not all, of the losses.  It becomes another area where net effects and actual costs of an incident are hard to pinpoint.  While that abstraction has made it hard to tally losses and pinpoint accountability, at least the banks have come to the conclusion that they shouldn’t be bearing the full brunt of these breaches and they’re litigating.  As of this writing, Target is facing over 100 breach related lawsuits and Home Depot nearly 50.  Both companies have recently suffered preliminary rulings allowing cases against them to proceed.  It seems the previously murky gulf between an incident and who owns the financial fallout of that incident may be getting some clarity soon.[ii]

“Sure, another breach, but nothing ever changes.”  I find it disturbing that this particular symptom of the Bruce Hornsby Effect predominantly occurs in security professionals.  Maybe you’re fighting a lot of organizational inertia and have poor, abstract metrics at your disposal, but there is a flashing neon business case for revisiting and reevaluating security posture, standards and readiness here.  We could continue diving into the reasons things haven’t changed, or we can ask the much more important follow up question:  Is this course sustainable?  That surprise I feel every time I scan the headlines prepping for another presentation is disbelief that we haven’t already had our hand forced by some compelling event.

So what will it take to see real change?

Litigation – Litigating a breach is not a new approach.  But from talking to attorney colleagues about their current case load, it seems this round of litigation involves a lot more thought about what a negligence standard and duty of care for data stewards might look like.  The technical understanding of the courts has matured from previous waves of cases as well.  And even factoring in inertia and breach fatigue, when the “class” in a class action suit numbers in the hundreds of millions, awards are likely to scale to levels that cause even the biggest industry players and sectors to wince.  A successful suit that helps define security and negligence standards would likely bring substantive security improvements forward.

Underwriting – In addition to banks, insurers are shouldering a large portion of the burden from this last wave of high profile breaches.  I’ve reviewed examples of underwriting qualifications and policy exclusions based on specific security capabilities.  One policy I’ve seen specifically states that unencrypted PII is out of scope for cyber liability coverage (Here’s an example of a similar exclusion related to portable devices/removable media.)  A broad-based industry initiative or underwriting shift by major insurers to require specific security controls (encryption, SIEM tools, segregation of duties, etc.) or compliance with a strategic security framework as a basis for coverage would also force substantive improvements to security postures at large.

Catastrophe – These are severely damaging events that carry tremendous impact.  Some catastrophes may involve events we’ve caught bite-size glimpses of and perhaps even prepared for on a smaller scale:  natural disasters (Hurricane Katrina), cyber warfare (Georgia, Ukraine), sabotage (Stuxnet), and general concerns about terrorist or nation-state attacks on critical infrastructure (power, water, transportation) and targeted systems disruption (financial market collapse.)  But it would take an event of unprecedented magnitude to produce wholesale change in our approach to security and readiness.  There are plenty of nightmare scenarios you can paste into this space, and numerous indicators that we are trending toward such an event.  For our purposes though, my contention is that it would take a scenario with measurably greater impact than what we’ve seen to date to in order to induce real change (To wit, nearly a decade after Hurricane Katrina, how many organizations still have their disaster recovery site in the same general geographic region as their production data center?)  It’s entirely plausible (I’d argue predictable) to imagine that in the wake of a truly massive, crippling cyber event, many critical sectors of U.S. infrastructure would engage in a massive correction (and likely overcorrection) in security practices and standards as they did with physical security protocols following the September 11th attacks.[iii]

The previous section once read, “What would it take to see real change?”  “Would” now reads “will” as I feel all three subsequent scenarios are extremely likely, if not forgone conclusions.  Litigation and underwriting will continue to evolve in ways that redistribute the financial fallout of breaches and place the onus of protection back with IT as it carves out more appropriate and prescriptive security terms.  While that iterative and reactive process takes place, the baddies will continue to outpace security improvements and drive us ever closer to a tipping point cyber event.  The smart money is on proactively preparing for these eventualities and getting ahead of the threats and risks, right?  It’s common sense, it’s intuitive, and traditionally it just doesn’t happen because of things like inertia, fatigue, and Bruce Hornsby.

But stick to your guns, folks because “that’s just the way it is…ah, but don’t you believe them.”


[i] Time will tell with Sony.

[ii] There’s probably an entire series of discussions on cyber liability that could fork off of this thread. For the purposes of this discussion though, the most important development is that between issuing banks, breached companies, shareholders, insurers, and affected individuals, actions are proceeding to correct what some of these players perceive to be an unfair or imbalanced distribution of the costs associated with a breach.

[iii] While I’m advocating for change and improvement to security practices, I’m concerned that undertaking those changes as part of a hasty, irrational, knee-jerk response to a cyber event might actually exacerbate problems. The preferred approach is to develop an approach under normal operating circumstances, before such a catastrophe occurs, with an eye toward minimizing the impact of such an event and getting the organization back to normal business operations.

Breach Letter Excerpt

How You Learned To Ignore Over a Half Billion Data Breaches

Ever read one of these addressed to you? If not, congratulations. But based on statistics, headlines, and personal experience, I’m going to guess you have (or you’re really bad at getting to your snail mail.) My most recent came from a financial institution that handles a retirement account for me. I first heard about the breach from the usual online sources long before receiving a letter. This news was accompanied by a disproportionate increase in stomach acid, a search for more information, a check on my account status, and then eventually a return to what I was doing. En masse people have credit cards canceled, accounts drained, identities stolen, yet somehow less than an hour after being alerted to a potential risk to what I’ve put away for my retirement, I’m back to working on someone else’s security architecture. How exactly did we, as individuals, end up in a position where we’ve basically learned to ignore over a half billion breaches of our data?[i]

Let me qualify what I mean by “our data.” I mean large cross sections of individual and consumer data. Personally I’ve received a relatively small number of these notification letters over the years, I’ve only caught one fraudulent credit card charge, and any shortfalls in my retirement planning are still “unforced errors.” But in following the never ending flow of new breaches affecting millions, apparently I’m also nearing the point of shrugging my way back to our regularly scheduled programming. It can be called “breach fatigue” and I’m trying to put my finger on exactly how with headlines like this: “CYBERATTACKS NOW COST OVER $1.5 TRILLION A YEAR”, it’s a very real thing (even for someone who works in security.)

Here’s a cursory list of what I figure to be the most important (I’m sure there are more ways to slice and dice this issue) variables at work underneath breach fatigue:

Actual cost

Comprehension

Market alternatives

Ability to affect level of risk

Emotional/intangible impact

Actual Cost – There is a delta here that probably helps explain a large chunk of the breach fatigue phenomenon. That is, the actual cost to you will be wildly different if you are merely an included individual in a large breach, than if your data is actually leveraged to commit fraud or other malfeasance. If there’s an “upside” to a large breach (spoiler alert: there’s not) it’s that in a huge compromise a very small percentage (not number) of included individuals will likely see a high actual cost, assuming the breach isn’t mishandled. For those whose data is leveraged the cost, even beyond actual dollars in terms of time and productivity, is often crippling. The very real “downside” is that large scale and repeated notifications to those whose data isn’t actually leveraged begin to interpret each successive notification as a “zero actual cost” event as opposed to a dire warning about how their bank, retailer, service, etc. almost completely jacked up their financial and reputational future . This stream of notifications should reflect increasing risk to our sensitive data, instead it is taken by many as increased frequency of “zero actual cost” breaches. It’s a completely inverse read on the actual risk being presented and a recipe for breach fatigue.

Comprehension – Enterprise security can be pretty dense subject matter. It’s not clear that, even with sufficient after-action reports and technical details (both rarities), that an average person will read about a breach and conclude better risk mitigation steps were available and should have been taken. I recall a number of reports from major institutions that lead me to say things like, “How have they been passing their PCI assessments all this time??”, “Aren’t these guys HIPAA/HITECH regulated??”, “Isn’t that a ‘Security 101’ mistake??” etc. While this raises major red flags in my mind about doing business with an organization, I realize these are not the questions or the concerns of the average customer. Little public concern follows even major security gaffes and there is seldom substantive change beyond a couple terminations, resignations, and general lip service. It’s difficult to make informed decisions about a breach when you’re not getting much detail to begin with and IT jargon reads like a David Lynch dream scene to you.

Market Alternatives – Let’s build off of the notion of a comprehension factor and address two scenarios:

  1. You are completely oblivious to all things IT and a thorough reading of your compromised bank’s breach report could trigger an infringement action by the holder of the Ambien patent. All you want to know is if they have your money and it’s safe to keep it with them.
  2. You’re the sort of geek who reads blogs on technology, security, and related policy in your free time and you’re not happy with what you just read from your business partner.

If you’re the person in the first scenario and the notion of a breach at your bank of choice upsets you, will switching banks help? How would you know? As the headlines detail other, also trusted and reputable, banks being compromised how does the average person interpret their market alternatives for a “secure banking (or retailer, service provider, etc.) option?” If the biggest and most trusted names in a sector are making the headlines, how does the average person discern the merits of their security offerings? Again, the avalanche of breach news adds more noise to the signal.

If you’re in the security savvy set, you may determine that a particular vendor has been playing fast and loose with your data. You’re really disappointed and it’s time for you to part ways. How can you ensure that your next vendor is any better? Of course, there are offerings for banks, retailers, social media, etc. that allow for enhanced security measures. Things like multifactor, out of band, and hardened authentication may speak to an organization’s commitment to security, but it’s hardly a “complete picture.” The details of enterprise security plans and safeguards are not something companies are hot to share or publish. Assuming you can find an organization that hasn’t fallen prey to a similar compromise, can you really get enough information to make a determination that Company Two will be an improvement on Company One’s security practices? How do you assure that it isn’t just a matter of time before your replacement vendor joins your original vendor on datalossdb.org?

Whenever I get wind that I might be in the affected class of a breach, my first inclination is to do something. I’ve called out “market alternatives” as a variable because often I find, even after thorough research, little to no evidence that a change of vendor or provider will definitively enhance the security of my information going forward.

Ability to Affect Level of Risk – Again, finding I’m included in a breach makes me want to act to protect myself and I just addressed what limited options we have for market alternatives. Like many failing relationships, you may find yourself wondering “What if the problem is me?” It’s probably a logical stretch to think that your inclusion in an eight or nine figure table of compromised records is somehow based on your individual behavior, but it’s logical to wonder “Could I have done something to prevent this?” There are some compromises close to the end user (ATM Skimmers, account hijacks, etc.) where hardened authentication methods and enhanced paranoia might decrease your odds of being leveraged. When it comes to large scale breaches, however, the enterprise nature of the compromise really takes compromised subjects’ behavior out of the equation. As with “Market Alternatives” there’s nothing substantive I can do, in this case with my own behavior, to proactively or reactively change the level of risk I face.

Emotional and “Intangible” Impact – I work largely with public sector clients. In general, public vs. private sector security discussions raise a fair amount of “apples to oranges” objections. Over a year later, however, my clients still haven’t unclenched their teeth over the Target breach. In a field largely apathetic to private sector, bottom line focused, PCI regulated concerns, why Target? Why does that particular breach register on radar when I can probably count on one hand the number of clients who have even mentioned larger breaches like Sony PSN, Heartland, or J.P. Morgan/Chase? I believe it goes to impact affecting them as individuals as opposed to their role as a public sector CIO, CISO or Security Architect.

Like every other factor mentioned “emotional and intangible impact” is hard to quantify and measure, but it’s more easily absorbed and internalized. The notions of canceled credit cards during the holiday shopping season, sitting on hold with an issuing bank as 70,000,000 cards are replaced in parallel, and what about those Target gift cards I just gave out? Pile all that disorder on to the manic anxiety of holiday shopping season and apparently it hits harder than a notice about a threat to your retirement account or a “DECLINE” code when you go to purchase that DQ Blizzard (maybe I’m showing my bias for small cash transactions here, but who was using a credit card at Dairy Queen in the first place??) While the variable may be somewhat “intangible” in nature, I believe Target shows us that this is the element that people most understand and react to. The intangible aspect is the only part of the equation solely derived from the effected individuals. It also shows us, when compared to other breaches, that emotional impact may not have a strictly linear relationship to things like actual cost or the total number of records breached. My informal observation is that, even without actual cost, individuals can still be affected by the emotional impact of a breach more than a year after the fact.

Looking back, the average person may find breach information is hard to comprehend, has a low signal to noise ratio, and doesn’t present them with many alternate courses of action. That’s not to say that breach fatigue equals breach apathy. It seems Americans worry more about online security than everything except walking alone at night. Could it just be that the amount and format of breach information leaves the average breach victim largely in the dark? How else can you ignore more than a half billion breaches?

 


[i] That’s total number of records breached as taken from the Identity Theft Resource Center’s statistics. I realize that’s not 673,293,959 individual actions resulting in breaches, but it is 673M records breached. However you slice it, it’s a LOT to ignore.