!

Forex Income Portfolios Preemptive Risk Management Built. One Client at at a Time. Protect. One Client a Time.

Stefan Whitwell, CFA, CIPM Chief Executive Officer

! ! ! ! ! ! ! !

2014 WHITE PAPER

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

THE ROLE OF SCOTOMA AND SURVIVAL BIAS IN THE CYBER RISK AUDIT DECISION revised March 2014

Copyright 2014 Empirical Solutions, LLC. All rights reserved.

815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM Chief Executive Officer

Executive Summary:

For all the sophistication of the technology employed in cyber risk management today, two identifiable human behaviors threaten the effectiveness of the millions and millions of dollars spent on security measures. These two behaviors create dangerous backdoors that tunnel right through secure firewalls and often serve to prevent the effective deployment of perimeter defenses. One of the salient features that these two behaviors share in common is that they are essentially invisible and difficult to quantify and measure and therefore counter. However, employing some basic best practices with regards corporate governance can be an effective antidote if deployed with a mandate backed all the way at the top ideally at the board level, since the implementation and enforcement of good governance procedures ultimately depends on a firm culture that is harmonized with the policies themselves.!

815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM Chief Executive Officer

March 25, 2014

! CORPORATE GOVERNANCE: KEY TO MANAGING CYBER RISK ! ! ! ! !

Peruse the websites of the largest cyber risk software and hardware solutions providers and you will see a dizzying array of technology solutions being deployed in effort to protect corporate assets from the financial and reputational damage caused when malcontents breach corporate defenses and steal proprietary data. And for all the advancement of the technology behind the solutions the headlines prove, beyond any reasonable doubt, that hackers are faster at innovating than corporations are at securing their assets. The annual loss to corporations due to these cyber threats measures in the billions of dollars. Worse yet is the reputational damage caused by seeing your firm in the headlines for all the wrong reasons and the loss of trust with your end clients. And in order to avoid being the next Target (forgive the pun), corporate America is spending billions of dollars to protect itself. However, 99% of the activity in this area is focused on the mechanics the software and hardware and its implementation. Lost in this race to protect corporate assets is the fact that technology alone cannot and will not provide the answer. The missing component needed to create a more robust defense is found in human behavior and the neurological wiring that determines much of our unconscious activity.

! The Neurological Hack !

Good hackers know that the easiest way to defeat a system is to find holes gaps in the logic; unintended consequences of the way the system was constructed. Knowing the rules and the logic of construction can make all the difference.

! This same methodology can be used to turn the tables and protect your firm. ! ! ! !

And the place to start is with two powerful behavioral biases that affect the behavior of 99.9% of the employees that comprise any company. Threats come in two flavors: inside threats and external threats, but the one thing they share in common is the nature of the vulnerability that every firm must manage. More on this later. The thing that any smart hacker knows is that behavioral tendencies are far stronger than employee compliance to long employment agreements that most people can scarcely remember signing much less reading. Two of the biggest gaps in security, regardless of whether the threat be internal or external, derive from the human tendency to (a) seek its own survival (which we call the

815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM Chief Executive Officer

Survival Bias and second (b) the persistent human neurological phenomenon known as scotoma, which I will hereafter refer to as the Scotoma Bias.

! The Survival Bias ! ! !

The Survival Bias is as simple as it sounds. It simply refers to the fact that the human brain is wired with a strong bias to select behaviors that it feels are important to its survival. We choose the word feel here intentionally, because in hindsight or when viewed systemically, the chosen behavior may not correspond to the one that might be most rational from a game theory standpoint. Here is how the Survival Bias operates in a corporate context and how it creates cyber vulnerability that hackers find and then routinely exploit: If a Board Director of a multi-billion dollar corporation, at a quarterly board meeting, asks the CEO whether he is taking the necessary and reasonable steps required to protect the corporation from cyber risk, the process by which that question is answered is subject to a conflict of interest driven by the Survival Bias. The executive being questioned benefits from the prestige of his senior executive role in the company, which evidences itself in generous multi-million dollar compensation packages and how people in the community treat that person (with deference and respect). The executive to whom the question was posed, has a strong incentive to answer the question in such a way that prolongs his tenure, and it is easy for him and anyone outside this process to deduce that the safest answer one can give to the question posed above is yes. If the question is posed using slightly different syntax, such as, Is the Firm currently safe from the risk of Cyber Attack? then the answer must also change, such as Well, one is never 100% safe, but we have retained experts to help us manage these risks and have implemented a number of steps to secure the Firm. What both replies share in common is a generally affirmative answer to the question. Regardless of the facts, an affirmative answer is most likely to prolong that executives tenure and give the board the confidence that they [emotionally] want so that they too can feel secure.

! ! ! ! !

However, logically speaking, the Director was asking for an assessment of fact, in order to execute their fiduciary duty of oversight and duty-bound supervision. In this light, the only way that an executive can answer the Director in the scenario posed above, with fact-based confidence, is if they have sought factual assessments from their internal resources and from an unbiased external source such as from third party Cyber Risk Auditors. Why would the CEO in this example be flying blind if he were to answer purely based on internally sourced assessments? The answer: Survival Bias. The same dynamic that afflicts the board in turn afflicts the CEO. Continuing with the same example: the CEO, now being aware that Cyber Risk is an explicit concern being monitored by the Board more actively than in the past, calls his Chief Security Officer (or
815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM Chief Executive Officer

Head of IT or Chief Information Officer the same principle applies) for a meeting wherein he poses the same question the Board posed to him, because he wants reassurance that the answer he gave the Board is accurate and because he wants to feel more confident that things are under control.

So he poses the same question to his CSO. And now you can hopefully see why these behavioral biases are so powerful and cannot be ignored: when answering the CEO, the CSO faces the same behavioral conflict of interest that the CEO faced. And indeed, this same scenario then replicates and after meeting with the CEO, the CSO calls in his chief of staff to ask them the same question and on and on. At every single level of the firm, this conflict of interest, driven by the Survival Bias, operates at full steam.

! ! ! !

The practical result of this cascading conflict of interest is that data points that do not support the thematic affirmative answer are not given the airtime and scrutiny they deserve and therefore vulnerabilities continue to exist to the delight of hackers. And in a resource constrained world of budgets, this dynamic intensifies when corporate resources are often allocated based on the deemed urgency of the issue; and issues which are downplayed therefore rarely receive the allocation of resources. You can now see how this conflict produces a slippery slope. And interestingly, once an executive has gone on record as saying that the company is secure, the immediate impact this creates on subordinate staff is to incite them to relax and ease off the healthy and urgent scepticism that is required culturally among all employees in order to create a maximum state of readiness and security. Hackers benefit, however, from multiple sources of non-optimal behavior, another key source of which is scotoma.

! The Scotoma Bias !

Scotoma refers to the neurological tendency to see what you know and look for what you believe to be true. In one sense, scotoma is a blessing in that it helps the human brain avoid meltdown from data overload by reducing the amount of data the brain needs to focus on logically drawing the attention of our minds to information that we believe has credibility. In another sense, scotoma is a curse, because it introduces a wicked analytical defect into our unconscious thought process and leaves us persistently vulnerable to negative surprises. After the crisis, with what we call the benefit of hindsight we often find an abundance of evidence, that had we focused on, would have alerted us to the problem well in advance. What blinds us is not the absence of hindsight in advance but rather the analytical blindness caused by scotoma. In short, the Scotoma Bias is the tendency for the human brain to only seek out data that supports what it wants to believe.

! !

And in the corporate environment, the fact is that it is easier to prolong your career (which ties the Scotoma Bias into the Survival Bias) by delivering good news to your
815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM Chief Executive Officer

boss than it is by constantly delivering bad news or the unverified as of yet possibility of bad news. Hence, there is the human tendency to look for good facts (such as everything you have done recently to help secure the network) to report, rather than to actively search for data that could support a counter interpretation (data that suggests that the network is vulnerable and that the millions spent on security the last six months have not resulted in the Firm being any more secure).

These biases serve to weaken the security of the firm, but the way in which they do this vary based on whether the threat is internal or external.

! External Threats !

External threats benefit from Survival Bias because weaknesses in the system persist for longer periods of time than they would otherwise due to the reduced vigilance caused by the cascade of executives, all the way down the food chain, all telling each other that things are fine. And often, after the digital investigations are completed, we learn that the vulnerabilities which permitted unauthorized access have been there for long periods of time and have been utilized by threats for long periods of time, before they were finally caught or the vulnerabilities acted upon.

External threats also benefit from Scotoma Bias. In fact it is this bias that tips the scale in favor of the hacker, whose motivation is high, whose fear of failure is low (he is happy to keep trying new methods to penetrate the system and is not dismayed when methods he thought would work do not yield access) and whose resultant level of creativity is off the charts high. By contrast, the employee is rarely rewarded with the same level of promotion, acknowledgement, pay increases for finding weaknesses in the systems that fellow employees (and often their bosses) have designed, implemented and touted as being successful but it is this behavior, the active search for weaknesses and unusual behaviors that produces greater levels of security within firms.

! Internal Threats ! ! ! ! !

As it turns out, most firms have well defined policies (written documents) that articulate what employees may not do (they are not allowed to steal from the company, share or sell company secrets et cetera). And in the vast majority of data and IP thefts, the thieves had signed documents affirming the policies, which, therefore were ineffective. What we find that firms rarely have, but need, is a culture of security and clearly defined and consistently executed enforcement policies. If there is no repercussion to lapses in adherence to security protocol, then as a practical matter, you should expect a low rate of adherence, which then invites a greater occurrence of breaches. Enforcement deeply affects the culture of the firm and is therefore something that must be addressed and embraced from the top of the firm.

815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM Chief Executive Officer

Another way that the biases identified above impact security is through the negative affect they impose on employee morale. It is important to note, however, that the negative impact these biases exert on morale do not affect all employees in equal proportion. Interestingly, these biases tend to hurt the morale of the employees that are most attuned to security issues and vulnerabilities ironically, the most valuable people on the team, who are most likely to have observed weaknesses that need fixing.

Lastly, in a world of constrained IT budgets, the Scotoma Bias also comes into play by virtue of the linear way that budgets are often administered. In the typical budget process, each line item must be logically justified et cetera. To fail to do so, would risk looking capricious and invite censure. However, one of the smartest things a company can do is preserve some percentage of resource allocation for speculative investigation or perhaps a more benign name might be exploratory investigation where people on the team are given the total freedom to explore, test, challenge and poke around, without the pressure of having to find evidence for a pre-ordained outcome. In a scientific setting, we sometimes call these efforts Skunk Works or R&D and alike and often the greatest discoveries come from these informal and expectation free efforts, rather than highly structured result specific projects.

! Conclusion ! ! !

Remember, threats are most often highly intelligent and that means that more often they are looking for the holes, rather than attempting to walk through steel reinforced walls. And these holes come from the weaknesses exposed by common behavioral biases. The good news is that these behaviors can be managed, by having well incentivized enforcement policies that are actively and publicly enforced combined with external Cyber Risk Audits in order to combat scotoma. In much the same way that the Board does not get involved in the management of financial audits, it would never be expected to get involved in the management of a cyber risk audit, but it should insist that their management team retain an outside cyber risk management firm to ensure that something as crucial as the security of IP and proprietary data is getting done right just like financial auditors ensure that the financial statements are being assembled in a reasonable and accurate manner.

! ! !

In todays digital world, with the rapid growth of e-commerce and the uncontrollable way in which news spreads online, firms today cannot afford to suffer public breaches in security. Therefore, retaining external arms-length cyber risk management advisors is now a corporate governance must-have, especially in light of the behavior biases outlined herein. Although retaining a high quality external advisor in this area is not inexpensive, it is far less expensive than the costs associated with a significant breach. In this light, external audit expenses represent an excellent investment and serve to protect the momentum built by management in the core of their business. In much the same way, the ultimate
815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net

Stefan Whitwell, CFA, CIPM Chief Executive Officer

cost of retaining inexperienced counsel, when facing the prospect of significant litigation, may turn out to be far greater than the upfront investment required to hire top quality talent to protect the firm.

! ! ! ! ! ! !

The other benefit to hiring an external cyber security risk management firm on an ongoing retainer is that the Firm will benefit from having an outside party that can help support the firm in the inevitable situation where there is an incident, having the benefit of familiarity with the Firm, its people and its systems all of which allow for more thoughtful and faster response times during times of crises. In addition, when incidents result in legal action, it is critical that the Firm use external advisors that have deep expertise in digital forensics and evidence collection so that the data collected post-incident was done so in accordance with the standards that courts require with regards digital evidence. Lastly, regardless of which outside advisory firm chosen to serve as your external cyber risk auditor, I would strongly encourage you to select one that has deep expertise in the area of behavioral biases, as well as the requisite technological tools of the trade. Addressing key biases will help your firm focus on preemptive solutions that shift, as much as possible, the probabilities in your favor. Stefan Whitwell Austin, Texas

815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net