A gorilla, an elephant and a horse walk into a bar…

Only, no one acknowledges them. Why?

Well, the patrons aren’t looking for the gorilla – their gaze is fixed on something else. The elephant’s presence is known, yet the patrons are choosing not to acknowledge it. And, in the case of the horse, the patrons are expecting a zebra.

People in the bar are experiencing common psychological effects, such as 'sustained inattentional blindness', denial and base-rate neglect. These are very powerful forces that influence us on a daily basis, and affect our decision making when it comes to managing risk.

In my last post, I presented a 2024 reading list for aspiring information risk management professionals. On that list was the book The Art of Thinking Clearly by Rolf Dobelli.

Two copies of this book sat on my bookshelf for years, before I picked one up and read it. It’s a fantastic book and one I strongly recommend you read. But, why did I buy the second one, and why did I repeatedly overlook both books when in plain view?

In The Art of Thinking Clearly, Dobelli presents 100 very short and digestible chapters exploring the domain of cognitive biases. If you’ve ever been tempted by those colourful infographics on social media depicting cognitive biases, don’t bother with them. Go directly to Dobelli’s book. Do not pass GO, do not collect ￡200!

Among many chapters covering biases, Dobelli also provides insight into other cognitive factors that plague our minds and seriously challenge our decision making. You will learn about aversions, errors, fallacies, heuristics, illusions, misrepresentations, paradoxes, syndromes and more. With so many mental obstacles, it's a wonder the human race has survived this long.

Dobelli conveys clear explanations of a range of psychological concepts, presents useful examples, references a plethora of research and concludes each chapter with practical guidance on how to avoid falling for myriad cognitive traps.

Dobelli’s Bar

Meet the gorilla, the elephant and the horse.

The (invisible) gorilla refers to the famous 1999 experiment, performed by Christopher Chabris and Daniel Simons, to highlight the issue of ‘sustained inattentional blindness’. If you don’t know about this experiment, watch the video at https://youtu.be/vJG698U2Mvo and count how many times the players, wearing white, pass the basketball. I guarantee you’ll make a mistake.

The elephant refers to the expression ‘elephant in the room’, which is a metaphor for a major topic or controversial issue that everyone is aware of but avoids discussing. That uncomfortable feeling of denial experienced by the people in the room only strengthens the ‘conspiracy of silence’. Did you see an elephant in a recent meeting?

The horse refers to the aphorism ‘When you hear the sound of hooves, think horses, not zebras’, which was coined in the late 1940s by Professor Theodore Woodward (University of Maryland School of Medicine). He used the fact that zebras are much rarer than horses in the US to warn medical students about the dangers of base-rate neglect (i.e. ignoring the most commonplace or likely explanation) when diagnosing the cause of symptoms.

What are the information risk management equivalents of the gorilla, elephant and horse?

Information risk elephant

Let's start with the largest animal. There are several big elephants in the room when it comes to managing information risk (and many other types of risk). These include:

• ineffective approaches that no one is willing to fix
• failure to define a clear and intuitive risk tolerance
• continuing to convey information risk in vague terms
• unwillingness to adequately test the effectiveness of information risk management.

As Douglas Hubbard explains in his book The Failure of Risk Management (also on the 2024 reading list), the approach taken by many organisations to manage risk represents their biggest risk.

In particular, risk management elephants include inconsistent terminology, inadequate analysis and ambiguous communication. Increasingly, risk professionals are questioning these and other significant issues, but the ‘conspiracy of silence’ is very powerful and slows much needed progress. Are poor methods your biggest risk management elephant?

Information risk gorilla

When it comes to performing information risk assessments, invisible gorillas lurk in every corner of your methodology. When organisations face major risks (i.e. involving an unacceptably high loss exposure) their business leaders deserve an approach that reduces uncertainty, conveys risk in probabilistic and financial terms and is proven to work. Details matter.

But be careful what you focus on. For example, when you look at specific types of asset, you can unintentionally disregard other assets and resources. When you focus on particular threat scenarios, you can ignore the broader threat landscape. And when you rely on standard security controls, you can overlook other essential security measures.

Other risk management gorillas include the diversion of:

• attention away from meaningful risk management techniques in order to meet compliance obligations
• security budget onto solutions that might not provide the greatest risk reduction (i.e. return on risk mitigation)
• focus away from the greatest risks posed by suppliers, because their reports omit key details (cherry-picking)
• priority for business requirements because of the influence of technology.

Information risk horse

Information risk assessments are also plagued by the horse (or more accurately, the zebra). Estimation by experienced risk professionals is a really important part of the risk analysis process. Output from this analysis should be realistic and meaningful risk values in the form of ranges.

By omitting base-rate or reference class data (i.e. the outside view) from the estimation process you significantly limit the value of the corresponding probability and financial loss values.

Other cognitive biases (such as those amplified by media articles, anecdotes and the perceived risk of other people) will typically lead to an overestimate of risk. As a consequence, reported risks might not reflect actual risk and lead to poor allocation of investment, resource and time.

Similar to the 'hoofbeats' principle is Hanlon's razor, which is very relevant when it comes to cyber risk management. Hanlon's razor states ‘Never attribute to malice that which is adequately explained by stupidity.’

Many threat indicators that appear adversarial in nature can often turn out to be related to human error or negligence. When you see unusual behaviour, don’t think nation-state attack.

Combating the information risk elephant, gorilla and horse

1. Confront the elephant (accept the unacceptable)

To combat the elephant in information risk management, you need to acknowledge its existence and address it. Shed your assumptions about risk management, read the growing material on better methods, challenge your own approach and start applying better/proven techniques. Go on, give it a try.

2. Adjust your focus to include the gorilla (expect the unexpected)

To combat the gorilla in information risk management, you need to change how you look at, and see things, in front of you. As Dobelli puts it, you need to ‘purge yourself of the illusion of attention’.

Consider the full technology stack that supports critical business processes. Don’t forget legacy infrastructure, shadow IT, low code, OT and that unapproved cloud service. Be clear about what you exclude from the scope. Explore the complete threat landscape. Don’t assume only one attacker is in play or that the threat is external and sophisticated. Apply models to ensure the complete range of protective measures is not overlooked.

3. Expect horses before zebras (expect the expected)

To combat the horse (or zebra) in information risk management, consult the base rate or reference class. This involves taking the outside view, where we look at the external data before considering internal data. Both Daniel Kahneman (Thinking Fast and Slow) and Philip Tetlock (Superforecasting) advise you take the outside view first, followed by the inside view. Their books (also on the 2024 reading list) explain more about this technique.

Next time

In the next post, I will explore more of Dobelli's book, covering such concepts as placebo buttons (think lifts/elevators), groupthink (will involve a hippo) and déformation professionnelle (think hammer and nails). In the meantime, you can learn more by reading his book.

Oh, were you expecting a joke?

A gorilla, an elephant and a horse walk into a bar, and the bar owner says 'is that a threat?'

Post image obtained from https://www.img2go.com

#criticalthinking #informationriskmanagement #crq #cognitivebias