The Infosec Dunning–Kruger Effect: Confidence vs. Overconfidence
A key message at Tripwire moving into the next year is around true confidence. Confidence in IT security posture and information security’s position in the business. While reading Price Waterhouse Cooper’s “The Global State of Information Security® Survey 2013” I was surprised to see that based on self assessments security officers are over confident and optimistic regarding their organization’s security posture, even though the data doesn’t support it.
Half the respondents in the survey view their organization as “front-runners” in terms of their information security strategy and execution. However, with many of the same respondents the organizations’ security budgets have diminished, security programs degraded and security risks are not fully understood or addressed.
It seems as if an organizational Dunning-Kruger effect is at work, whereby the incompetent rate their abilities higher than average and those who are competent who are less confident. The results might be due to these being self assessments, particularly those not based on industry standards or metrics.
In the same study is the decline of basic security detection technologies being deployed. Key categories that have slipped include malicious code detection, intrusion detection and vulnerability scanning tools, as well as security event correlation. Many of these detective tools are paramount in providing the key metrics that security officers use to quantitatively measure their real security posture, risk and overall true confidence.
Confidence is easy when you are ignorant of the risks, but “see no evil” is not a healthy strategy for dealing with today’s infosec risks. Is it that the tools do not provide the right data, or that there is too much data to make sense of? How do you measure your infosec confidence?