O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

477
Appendix J:
Observer Bias
e alert information security manager needs to be aware of his or her own cogni-
tive biases, plus those of the intended audiences or consumers of the metrics and,
potentially, even the people making the base measurements. It’s important to keep
in mind that numerous studies have shown we humans are notoriously poor at
estimating risk and acting appropriately even when we have objective factual infor-
mation and ample warning. Anyone for a smoke?
Studies typically show that risk is gauged and acted upon more often as a result
of instinctive gut reaction than by a reasoned or rational process. For example, one
shark attack clears the beaches across the country even though one is far more likely
(43 times more!) to be killed by a lightning strike on a golf course. ese reactions
are further shaded by a host of evolutionary and environmental biases that render
it virtually certain we’ll mostly get it wrong. e point is that understanding and
awareness can, at least, serve to compensate and reduce the margin of error.
A particular form of bias (one of more than 40 recognized biases) is called biased
assimilation. is is the normal human tendency to pay attention only to those
facts that support our personal agenda while discarding or disregarding those that
dont. We see this all the time in politics: politicians on TV gladly discuss and do
their best to focus the audience’s attention on socioeconomic indicators that reflect
positively on them and negatively on the opposition while doing their best to ignore
or downplay others. Outside the media circus, observer bias is a deeper issue if
the politicians and civil servants literally disregard metrics that are unfavorable or
indicate issues that are difficult to tackle. Observer bias can even affect the choice
of metrics, making it an insidious threat to the process of developing a system of
metrics.
e status quo bias is about favoring the familiar over something novel or dif-
ferent even when it’s demonstrably not working. It’s the old saw about continuing to
do the same thing that has failed repeatedly and expecting a different result.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required