I’ve thrown out this concept during informal discussions at conferences, and I think I mentioned it during one of my talks at the Security Zone 2012 conference. But I’ve never really put it into a report, because I’m still kind of hoping that I can come up with a better term for it.
‘Cheeseburger risk’ is the kind of risk you deliberately take even knowing the consequences, until those consequences actually come to pass. For example, you may decide to go on eating cheeseburgers until such time as you have a heart attack – and then you’ll consider changing to a healthier lifestyle.
You can calculate the probability of something bad happening in security, and present it to your executives. But no matter what scoring system you use, they may choose not to do anything until the probability equals 1. I’ve heard real quotes from security professionals that they’ve gotten from customers, such as, ‘Let’s wait until we actually get attacked.’
The subtext behind cheeseburger risk is often, ‘It will be of more benefit to keep taking this risk for as long as possible.’ And who is to say that’s not a viable strategy? If an enterprise can save $1m per year by not implementing a security program for five years, and then loses only $2m from a breach, that was a net gain – even if the outcome was certain, the timing was not. Another subtext is, ‘I simply don’t believe you when you say this is likely to happen.’ There’s not much you can do about that – proof by headline is not going to be effective at that point in the discussion.
Why is this important to the security industry? It’s a very common risk strategy that drives more purchasing than many people realize. It means that there will be more last-minute, emergency procurements (and incident response consultants know this very well). Marketing messages that try to scare a customer into spending may not work, because the customer will choose to bet on the breach scenario not happening – at least, not happening long enough for the cost savings to materialize. And it’s an opportunity for ‘security lifestyle coaches’ to step in after an enterprise is finally ready to change its ways. It may still backslide, of course, just as the line at McDonald’s will demonstrate. But understanding cheeseburger risk can help to drive better and more honest conversations with management.