Recently, I was talking to one of our customers about how IT Security has evolved in the last 20 years. The conversation reminded me of ‘Escalation of Commitment,’ a topic studied both in Economics and Psychology.
The theory is definitely a bit deeper than this, but the concept is simple and powerful: as two adversaries compete to win, sometimes both continue to invest more and more resources even after a point where neither of them can win or recover their investment.
For example, do you remember that failed IT project that kept burning cash and resources, even after it was clear the project could no longer be brought back on track or deliver the expected results?
If we bring this back to the field of IT Security, we could start with a basic scenario: in the mid-nineties, as the first viruses started to spread, a few start-up firms sprung up to sell antivirus software for a fast growing PC market. Over the next few years, as the number and intrusiveness of viruses increased, so did the resources invested by the vendors and their customers.
Of course, both parties did have small wins. On the virus-makers side, they managed to wreak havoc across many organisations and in time, develop malware with new evasive capabilities. Meanwhile, on the antivirus-developers side, many viruses were successfully blocked by the software… until the next generation of viruses was unleashed, and new antivirus technologies were developed.
In my opinion, this Escalation of Commitment eventually forced the virus makers to explore new attack vectors and the antivirus developers to create new threat defences, making the traditional virus threat fairly useless.
Over the very long term, this attack and defend model is likely to result in an Escalation of Commitment. Of course, there will be wins for both attacker and defender from time to time, so they will keep going but over a long period of time, it is unlikely there will be an overall winner. Nevertheless, I do think that some organisations have started to break away from this Escalation of Commitment.
In verticals like Financial Services and Banking, many companies have built a good risk management foundation, as well as the right processes to support it. In addition, after a wave of major breaches in the last 18 months or so, there is a wealth of new technologies for threat intelligence and advanced threat protection reaching the market that will help those organisations with the right foundations to continue to take a reasonable lead over the attackers.
So, where does this leave those organisations that are lacking on risk management?
I am afraid they could end becoming the low hanging fruit that will break the stalemate in yet another Escalation of Commitment.
Keep a look out for a follow-up post providing advice for organisations that are lacking a risk management foundation.
Title image courtesy of ShutterStock