Its pretty clear that we humans have a tenuous at best grasp on risk. One reason I enjoy looking at market examples for risk-related behavior is that stock market provides a transparency that's lacking in infosec but the decisions and behavior are dervied from the same biases.
Today we are three years removed from generational stock market downturn where in March 2009, the S&P Index touched 666. Take yoruself back to that time, collapseniks were the belles of the ball. At the head of the list was Nouriel Roubini who when asked how the market would perform "Lower ... much lower," was his answer (remember he is saying this as the S&P is at 666). "Expect ... new lows reached in the next months and the year ahead." What we got instead was perhaps the best Bull Market this generation will ever see. The market is up 123% since.
Unfortunately, most people missed it. Instead, driven by fear, people were pulling money out of the market at the exact time it should have been moving in. And of course now people are more interested in investing with the market recovering. As Buffett says - you pay a high price for a cheery consensus.
Risk analysis needs to be back not by "wisdom" of the crowds or hysterical doom and gloomers but by data. When the S&P was hitting its 2009 lows its was back to the same price levels of 1996, for your reference in 1966 a house cost $14,200 and gasoline was 32 cents a gallon. Were you taking crazy risk to buy stocks at that level, as Roubini asserted, or were you getting the bargain of a generation?
Doing your own analysis based on data pays. In the same way, we should not judge the risk of technologies or efficacy of controls because convetional wisdom obliges us to look at one deployment scenario "safe" because its "inside the DMZ" and another control effective at stopping range of attacks simply because it translates network addresses.
Being a perma-Bull or a perma-Bear is plain silly. In 2009 everyone was celebrating the permaBears but in 2007 it was the opposite. Instead understand the scenarios, get the data and be objective. The crowd agreeing with you - whether its stock picks or making network firewalls your #1 priority - is irrelevant.
Comments