All about ‘cheeseburger risk’

I’ve thrown out this concept during informal discussions at conferences, and I think I mentioned it during one of my talks at the Security Zone 2012 conference. But I’ve never really put it into a report, because I’m still kind of hoping that I can come up with a better term for it.

‘Cheeseburger risk’ is the kind of risk you deliberately take even knowing the consequences, until those consequences actually come to pass. For example, you may decide to go on eating cheeseburgers until such time as you have a heart attack – and then you’ll consider changing to a healthier lifestyle.

You can calculate the probability of something bad happening in security, and present it to your executives. But no matter what scoring system you use, they may choose not to do anything until the probability equals 1. I’ve heard real quotes from security professionals that they’ve gotten from customers, such as, ‘Let’s wait until we actually get attacked.’

The subtext behind cheeseburger risk is often, ‘It will be of more benefit to keep taking this risk for as long as possible.’ And who is to say that’s not a viable strategy? If an enterprise can save $1m per year by not implementing a security program for five years, and then loses only $2m from a breach, that was a net gain – even if the outcome was certain, the timing was not. Another subtext is, ‘I simply don’t believe you when you say this is likely to happen.’ There’s not much you can do about that – proof by headline is not going to be effective at that point in the discussion.

Why is this important to the security industry? It’s a very common risk strategy that drives more purchasing than many people realize. It means that there will be more last-minute, emergency procurements (and incident response consultants know this very well). Marketing messages that try to scare a customer into spending may not work, because the customer will choose to bet on the breach scenario not happening – at least, not happening long enough for the cost savings to materialize. And it’s an opportunity for ‘security lifestyle coaches’ to step in after an enterprise is finally ready to change its ways. It may still backslide, of course, just as the line at McDonald’s will demonstrate. But understanding cheeseburger risk can help to drive better and more honest conversations with management.


About the Author

Wendy Nather is Research Director, Security, within 451 Research’s Enterprise Security Program, providing analysis on the current state of security from the perspective of a veteran CISO. Wendy’s primary areas of coverage are on application security and security services.

2 Replies

Trackback  •  Comments RSS

  1. Chris Hayes says:

    Hi Wendy! This is an interesting phrase. I would offer a few points:

    Risk management functions need to have a mechanism to give visibility to cheeseburger risk. That implies that there are formal processes to accept risk associated with issues and that those issues and decisions are formally tracked. When we overlay attributes of frequency and severity we now have a story to tell and can also begin establishing dialogue around capacity, appetite and limits.

    My capacity is 10 White Castle Jalapeno Cheeseburger (mmmm… White Castle). My appetite is six. My lower limit is two and my upper limit is 8.

    Another way of thinking about “cheeseburger” risk is the frog in a beaker, over a bunson burner. As more heat is applied the frog will not really react but just die. You can also use the death by a thousand cuts scenario – you keep on taking more and more risk until you have a significant loss event.

    Miss chatting with you! Let me know if I am overthinking this :-)

  2. What’s the infosec equivalent of eating cheeseburgers but taking Lipitor and running 5 miles a day? #InfosecAnalogiesAreLikeNutellaCrepes #GoodButNotGoodForYou #ComparedToBaconAndNutellaCrepes