Be nicer to your vending machine if you know what’s good for you

By CSC’s Eric Pinkerton

“You are more likely to be killed by a vending machine than by a shark.”

An InfoSec professional, whom I respect greatly, proffered this cheery prediction to me during a presentation about risk to illustrate just how poorly we, as humans, evaluate risk.

The rationale is simple: The yearly risk in the U.S. of dying from a shark attack is roughly 1:250,000,000. In contrast, the yearly risk of being flattened by a homicidal robotic shopkeeper is roughly 1:112,000,000.

Interestingly, this death-by-vending-machine is only as a result of annoyed patrons shaking machines that have failed to vend rather than the aggregate effect of cigarettes, sugary drinks and fatty snacks purchased in the small hours.

The ‘vendo’ is therefore roughly twice as lethal as the ‘mako!’

Now, when you consider that not everyone in the U.S. lives near the ocean and, of those who do, a much smaller subset actually chooses to go in the ocean, and you compare this with the number of people in the U.S. who live close to and use vending machines, you are looking at an exponentially larger pool of candidates.

How would you, as a surfer, out on the break in a black wetsuit at dusk in Western Australia, feel about that guy shouting at you from the beach to watch out for coke machines?

There is no shortage of vendors out there who continue to stand on that beach shouting cautionary tales, but there are inherent problems with taking these tales at face value. Not because the vendors themselves are necessarily out to deceive you, but because their world view is shaped by the experiences of their customers, in the same way that policemen might champion burglar alarms, whereas firemen prefer smoke alarms.

On top of this, these vendors tend to rely heavily on blunt statistics and weak probability. Whilst these are both great tools in the right hands, they require both skill and good data, and the simple fact is that, unlike U.S. death records, empirical data for information security breaches is simply not good.

Companies often don’t report breaches, many times because they don’t even know they’ve been breached. Those that realize they’ve been hacked learn just how difficult it is to tell by whom, how, when, where or even why they were targeted.

Even the overall cost of the damage remains a complete mystery. Too often we confuse the cost of diagnosing and fixing everything in retrospect with the cost of the breach itself, whilst failing to account for the more abstract impacts, such as damage to our reputation and the loss of trust.

Even if the collection of reliable data were possible, it would be of questionable value because of the exponential scale of the other variables involved. One of the few variables you can trust is that people have and will continue to make mistakes.

Human error is inevitable, and mistakes or oversights by engineers designing hardware, coders writing software, architects and integrators designing and deploying solutions, etc., are commonplace and practically impossible to eradicate.

Once we can accept this, our goal as security professionals should not be to get swallowed up in the whack-a-mole of trying to find and fix all of the problems, but rather to try and foster conditions in which the design processes of our solutions promotes the inclusion of comprehensive and complimentary controls to demonstrably reduce the consequence of human errors even when they do go unnoticed.

Put simply, if we want our garden to stay nice, we still need to spend time pulling the weeds, but we also need to take a little time to sow some seeds.

Also, if your vending machine won’t vend, show it some respect. We all have off days.


EPinkerton052015

Eric Pinkerton, a CSC Cybersecurity principal security consultant, has worked on numerous cloud assurance engagements, including complex control audits, detailed threat risk assessments and technical configuration reviews. Pinkerton is also proud to have contributed to both the forthcoming NESAF Cloud Security Framework and the current CSA Cloud Controls Matrix.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: