Society of Payment Security Professionals - Payment Security Blog

Monday Morning Coaching, Rational Actors, Recon, & Risk?

Anyone who knows me well knows that I am a diehard college football fan.  Nothing makes me happier than a Saturday of good college football.  While I am an Auburn alum, I will happily watch any conference and any team as long as the matchup is good.  Like many, I am guilty of Monday morning quarterback syndrome.  If this term is foreign it essentially refers to the tendency to coach the game after the fact.  All serious sports fans have likely all looked back at a game or play and said something like: “If Auburn had used the option instead of the wildcat formation, they would have beaten Alabama.”  This may be an accurate statement but the folly lies in the fact that it is made after the game has been played.  Believe it or not, there is a political economy theory that is being applied here.  It is known as the Rational Actor Theory.  In essence, the Rational Actor Theory states that all humans are rational beings and as such will act in their own best interests.  This model was used to evaluate the Cuban Missile Crisis in 1962. For any political economy geeks reading this a great book is The Essence of Decision by Graham T. Ellison.  Back to the point….

Rational Actor Models are great to evaluate decisions after the fact but often fall flat when attempting to use them for predictive models.  In much the same way I can coach any team to victory after the game has been played, we can all make perfect (or near perfect) decisions once we have the benefit of hindsight and can understand the variables.

At this point, some readers are likely getting ahead of this post and can see where I am going.  There is a tendency in the payment card industry to coach the game after the fact.  We have all heard people say: “If X and Y had been done, then the company would not have had a data compromise.”  Is this an accurate statement?  Maybe, maybe not.  It is also important to remember that the criminals are also rational actors.  Consider my house.  If someone breaks in because I don’t have a lock on my front door, can I then state that “If only I had had a lock on my front door, my house would not have been broken into.”?  Who knows.  If I have something the criminals want and my front door is locked, the criminals, being rational actors, will simply break a window.  If I bar my windows, they may cut a hole in the roof.  The point of this exercise is not to discuss the Rational Actor theory rather to explain that coaching a game after the fact provides little value aside from allowing people to learn from mistakes.

Recently, I read an article titled: “PCI Compliance Would have Stopped Gonzalez.”  The Author states that the company would not have been breached by the criminal masterminds,  if PCI controls had been implemented in an “above average” way.  This is a classic case of Monday morning quarterbacking.  While I will be dissecting this article in a later post, I wanted to make the point that it is easy to look back at a compromise and provide the proverbial “ifs and buts”.  As a former military colleague of mine was fond of saying: “If ‘ifs and buts’ was ‘candy and nuts’….every day would be (expletive) Christmas.”

Clearly the PCI DSS, or any security controls implemented properly, provide some value and reduce the risk of a compromise relative to not having any controls implemented.  It is however somewhat naive to believe that PCI DSS alone would have prevented the data compromises.

Using the word “prevented” in this context is interesting.  Prevented is a definitive statement that suggests that we are talking about risk elimination as opposed to reduction.  To suggest that the compromise would have been “prevented” as opposed to mitigated or reduced suggests that if the company implemented the controls in an “above average manner” (as stated in the article) then the risk would have been eliminated.  I am using this as an example of another area where our industry tends to be led astray.  For a company handling payment card data there is no such thing as risk elimination.  You can reduce the risk of compromise but you cannot eliminate the risk.  Unfortunately we tend to hear various people stating after the fact that “If company X had been compliant, they would not have been compromised.”  This is difficult to resolve.

In my previous life as a US Marine, I served as a Recon Marine.  During my qualification training I was attending Amphibious Reconnaissance School to qualify for the military speciality of 0321 and was in the patrolling phase of training.  My team and I had been awake and patrolling for several days and had just failed another patrolling exercise.  We were being graded on our tactics while crossing danger areas and the instructor was not happy with our performance.  At one point (after many pushups and sprints with our packs as ‘motivation’), I asked our instructor how to ensure that a team could cross a danger area safely.  What he said always stuck with me and is relevant to the current debate within the payment card industry.  This grizzled old SSgt. said: “Mark (my last name), you can do everything perfectly by the book and exactly right and still get your entire team killed at any point.  All you can do is make tactically sound decisions to mitigate the risk but you can never eliminate the risk.”

This Force Recon Marine and combat veteran without formal information security or risk education had a better understanding of risk than most in our own industry.  He had also articulated the concept perfectly.  From previous armed conflicts we have learned what generally works and does not work.  We codify this in standard operating procedures (SOP).  We apply these SOPs and attempt to make tactically sound decisions consistent with the SOPs.  Even when we follow the SOP and make good decisions, we cannot anticipate all of the variables at play and, as such, are still exposed to risk.  Quite simply, all we can do is minimize the risk and cannot eliminate the risk.

While there is no disputing that some companies make poor decisions that deviate from accepted security practices, it is naive to believe that simple compliance with any standard or SOP will eliminate risk.  All companies can do is adhere to the standards, make tactically sound decisions and hope for a bit of luck.