The Philosophy of Security Risk Assessments
Philosophical razors are a type of cognitive tool framed as general rules or guidelines, which can be applied to a variety of circumstances. Razors can help us better understand how to prioritize information so that we can make effective decisions. They reduce the complexity of the information we are gathering, help identify and clarify key concepts, and bring to light our own assumptions and biases—all critical elements in the decision-making process.
It's unlikely that many security professionals turn to philosophy when making decisions. But here we’re going to examine several types of philosophical razors that can aid security professionals. Truth is, you’ll see that you likely already apply these razors as you encounter issues that need solving—we do it without thinking about. But if we do purposefully consider it—if we’re able to critically apply these razors in a thoughtful way—you’ll find you make better, quicker decisions.
In very broad terms, physical security focuses on three core responsibilities: identifying threats and risks, implementing appropriate controls, and overseeing the daily operational safeguarding of an organization’s assets, information, and people. Start listing all the assets that need safeguarding, all the potential threats to those assets, and all the ways to mitigate them, and the complexities of physical security become readily apparent.
Security risk management is a discipline used to bring a strategic approach to physical security’s complexities. To be successful at security risk management, one must possess a thorough and rigorous understanding of the threat landscape married to the application of appropriate strategies to manage the risks effectively, all within the organization’s risk appetite and budget.
Indeed, across a number of industries, one could argue that threats and risks in the last decade have significantly accelerated in range, pace, and complexity. Across all these areas—and the entire security risk management spectrum—is information, loads of information. But how do we manage to go from the different stages of gathering information, framing it into risk and threat assessments, and managing the ever-growing volume of information produced by the controls we put in place to mitigate risks?
The answer to those questions is possessing the ability to apply specific guiding principles to sift information effectively at the assessment stage—a philosophy of security risk assessment.
Security professionals must arrive at an informed decision point based on comprehensive and rigorous understanding of the relevant information. Sometimes, security professionals reach a decision point that is supported by prior experiences, leadership savvy, or leveraging additional skill sets, such as in-house security intelligence analysts or third-party solutions. Other times, decisions may be elusive, and the volumes of data and range of information sources can be overwhelming. This results in what psychologist Daniel Kahneman would refer to as difficulty in extracting actionable insights from the “noise.” (For more, read Noise: A Flaw in Human Judgment, by Kahneman and coauthors Olivier Sibony and Cass R. Sunstein.)
For both types of decisions—the kind we already think we have a handle on because of our experiences or intuition, and the kind that has us spinning in a sea of information trying to figure out a way forward—philosophical razors can help us quickly reach decisions we can be confident about.
There are many philosophical razors that people have named and described. Here are four I think are particularly helpful for security professionals.
The well-known Occam’s razor is a philosophical razor that states when all else is equal, the simplest or most straightforward explanation is usually the most accurate or closest to the reality on the ground. This razor presents plenty of value for security professionals.
First, it can be used to simplify threat identification, which otherwise could lead to a paralyzing list of potential threats that never ends. We cannot completely negate or ignore that a complex and multifaceted attack could occur; however, rather than overcomplicating the threat assessment process with unnecessary information or assumptions of adversarial actions, we can use Occam’s razor to help set boundaries by accounting for the simplest and most straightforward threats first.
Occam’s razor can also be applied to investigations. Confirmation bias or the anchoring bias can skew investigations, and rather than looking to the simplest explanation, we end up jumping to theories that are needlessly more complex.
Rather than overcomplicating the threat assessment process with unnecessary information or assumptions of adversarial actions, we can use Occam’s razor to help set boundaries.
Social engineering adversaries take Occam’s razor to heart. Rather than devising a scheme to overcome complex, sophisticated security technology systems, an attacker need only ensure that someone is willing to hold the door open for them. They could use such sophisticated tactics as carrying two cups coffee so they’re hands are not free to reach for the badge. Or perhaps they’ve seen a staff person’s badge and call out that person by name as they’ve met.
Applying Occam’s razor from the security management perspective is about identifying the simplest adversarial explanations and actions. Doing so will more easily help us identify the underlying causes of the risk and allow us to better develop mitigation strategies to otherwise correct it. Taking this razor into our risk management strategies, we can save time and resources and identify the most practical—and most necessary—solutions and controls.
Another razor than can be applied to our line of work is that of Hume’s razor, also known as Hume’s guillotine or the is–ought problem. Hume’s razor is not too distant from Occam’s razor, and it asks that whenever we are piecing together information to reach an explanation, we should prefer the explanation that requires the fewest assumptions.
Hume’s razor is particularly effective when applied to adversarial pathways analysis (either pre- or post-incident), where we essentially plot the necessary steps and actions of an adversary against our control suite to identify security gaps, as well as delay and response times.
As we go through the analysis steps, applying Hume’s razor will ask us to look deeper into each of the steps an adversary would need to take—if our security control isn’t sufficiently able to produce the observed effect to counter the adversarial action, then we should either eliminate the control from consideration and go back to the drawing board, or identify what needs to be added to the controls to create the security goal of preventing the adversarial action.
There are often multiple ways to success, and adversaries are particularly adept at finding new ways to try and bypass security controls to ensure success. This can be applied jointly with Occam’s razor, so when we are evaluating the steps an attacker might take, we should give preference to explanations that require the fewest assumptions about actions the adversary takes. These assumptions might be that the adversary had a helper or certain equipment or skills. Applying both razors together to risk assessment models gives us the following steps:
- Identify. Identify the high-level organization security threats and any related known or expected vulnerabilities.
- Hume’s razor check. List and review how many adversarial assumptions and conditions are required for each of your security threats to successfully exploit those vulnerabilities—these are likely to be the and/or actions in the adversarial pathway analysis exercise.
- Occam’s razor organizing. Rank the security threats from least complicated (i.e., the least number of actions an adversary needs to take to ensure success) through to those security threats that would require the most actions to complete.
- Prioritize. Consider prioritizing the threats and vulnerabilities that can be most easily exploited. Using both razors, this prioritized list will start with the threat that requires security professionals to make the fewest possible assumptions about an adversary's capability and is the easiest or simplest path or tactic an adversary is likely to take.
- Review. Review where the assumptions and conditions arise. Underlining evidence to substantiate each assumption or condition may identify key adversarial approaches to undermine security and reveal new security vulnerabilities.
One of the great challenges to physical security risk management is inertia, or not continuously re-evaluating our approach and choice of control suites. There are a number of reasons why inertia develops. For instance, security can become static where threats may not advance as fast as they do in other areas or industries, when the design basis threat to which the building has been designed against no longer exists, or if the ongoing debate over budgets and continued upgrades to security infrastructure falls off the top of the agenda. Popper’s razor or Popper’s falsifiability principle can be useful in these kinds of situations.
Ostensibly, Popper's razor is applied to scientific reasoning, namely that a theory must be testable and capable of being proven false. At a basic level for security risk managers, this can mean showing willingness to challenge the security assumptions that are in place, such as standard operating procedures (SOPs), policies, and the assumed function of security controls.
The real value of Popper’s razor, however, is when we look to test our assumptions and predictions against real-world data. Where it is not always feasible to test the entirety of one’s controls, incidents or breaches that occur within peer organizations can be an invaluable method of testing your own controls and mitigations, providing you the ability to generate real data points rather than assumptions when making arguments for upgrades.
Consider how Popper’s razor can apply to data-driven risk assessments, for example. There are many third-party services and open sources that can offer security datasets, including the Uppsala Conflict Data Program and the Global Terrorism Database hosted by the National Consortium for the Study of Terrorism and Responses to Terrorism (START). These groups collate high-impact adversarial actions such as terrorist attacks or armed conflict.
Working with these datasets, security professionals can begin to draw out relevant dates of attacks (helping to show trends and advances in frequency of attacks), attack target types (helping to frame the discussion applicable to our own sites), incident types (allowing us to cross-reference against our own security risk registers), and the attack methodologies, toolsets, or weapons used. With each quarter or annual period, we can review our security risk assessment documents and threat assessments to critique our security control suites in line with adversarial developments. Being able to review real-world data and assess it against our controls drives the business case to either disprove, refute, or otherwise test the effectiveness of our security risk management frameworks.
Critically, adopting Popper’s razor helps underpin a security culture that benefits from taking a falsifiable approach to risk management. Doing so can help organizations avoid relying on speculative assumptions to gauge the performance of security controls and focus instead on evidence-based analysis.
Another area borrowed from the world of intelligence analysis and applied to security risk management reporting, is that of the BLUF writing format. BLUF stands for “bottom line up front,” and it seeks to take the essential and most important points from an intelligence brief and present them up front for the reader.
Going hand-in-glove with the BLUF concept is Einstein’s razor. The principle of Einstein’s razor is to make theories and hypotheses as simple as possible without diminishing the content. Some theories might be complex, but they should not be needlessly complicated.
Applying Einstein’s razor in security risk management means that we build on the BLUF format and write with simplicity and clarity. In particular, the work of security risk assessments can expand across various chapters, matrices, and appendices, while seeking to fold in numerous threat criteria. The result can both be a document that is useful, but needlessly large and complicated.
Many of the good practices that we observe as effective security risk management practitioners are underpinned by sound philosophical principles.
While there is a need to ensure we accurately record the process and assessment of information relevant to choosing and implementing security controls, we must always be focused on the intended reader—the stakeholders, policymakers, and leaders within the organization. A large and complex document with a number of recommendations may not be universally welcomed at the C-suite level. Rather, delivering clear, concise, accurate, and easily interpretable information helps the audience efficiently locate and comprehend the information they need. This is the cornerstone of Einstein’s razor and the BLUF format.
Importantly, Einstein’s razor does not seek to dumb down the information, rather it seeks to make the key points easily accessible and readily digestible. Even outside of the C-suite, security professionals themselves are often very busy people with a portfolio of work requiring constant attention, so this style of information structuring is useful and can drive action. Using BLUF, our security risk assessments should lead with the most important sentence at the start of the paragraph, summing up all the information in the rest of the paragraph. Using language that is clear, concise, accurate, and to-the-point leaves less room for interpretation and decreases the chance that managers and leaders will either misinterpret information or overlook key points we want them to understand.
Understanding Einstein’s razor and how it applies to our work means recognizing that underneath the purpose of the security risk assessment process lies key decisions and key people to make those decisions. It is not an easy task to write reports that reduce complexity and make the decision or consequences as simple as possible to understand without compromising the magnitude of the problem faced, but once achieved, this strategy can lead to far more buy-in of the security risk management process.
Many of the good practices that we observe as effective security risk management practitioners are underpinned by sound philosophical principles. Being aware of philosophical razors within the security risk management context can help ensure that the various strands of analysis, control metrics, surveys, and operational workstreams are grounded in sound evidentiary practices that avoid unnecessary complexity and consider an all-around perspective on the available information before managers draw firm conclusions. Indeed, the use of philosophical razors in physical security briefs and written outputs will help identify potential biases, assumptions, and fallacies that can distort our understanding of security risks and divert the attention of senior leadership away from the critical elements we are trying to draw their attention to.
As security risks and threats continue to evolve, it is essential as a profession that we continue to develop and refine our approaches to risk management, and the application of philosophical razors can play an important part in that future.
Mark Ashford is a security risk manager in the financial industry, following a career in law enforcement and state security. His other areas of interest include intelligence analysis, strategic foresight, and international relations.