Why You Need a Human Involved In Risk Decision-Making
Until there is a whole new level of real AI technology and not pattern-based recognition automation as we know it now, risk decision-making should still always have human involvement.
I got inspired for this article following the David Spark CISO Series Friday evening event on “Hacking Automation”.
During the event, David asked a question, ‘Which element you would never automate’ and both panelists and many others in the chat room said Risk and I wanted to share more on my thoughts on where you can’t automate with AI.
Information on Risk Gathering like penetration testing tools, even risk identification can be automated (or a combination of automation and human) but when it comes to the decision-making on risk, that should always be a human.
A risk assessment can give you scores to consider, but there is no such thing as ‘generic risk’ in cybersecurity, there’s no one-size-fits-all. Every threat has a different impact level for each organization type, industry, and even specific activities in an organization.
I see it with Boardish as well as in consulting. Risk depends on variables in an organization like structure, revenue engines, and even functions like marketing (when you consider market position losses in the calculation) and it’s all interconnected. Cyber threats are a 3D picture (some say 4D) which need different perspectives that automation and AI just cannot give right now.
Which is why a human should have the say on the priority of IT and Cyber risks and make the final decision on what is a higher risk to the organization.
When my partner and I were building the Boardish Methodology, we made a big decision on the ‘decision-making’ and level of control a human has over threat decision-making. Which is why one of our main elements in the methodology is TPF (Threat Protection Factor). This is the efficiency of the solution against the threat.
We knew we could go via the automation route, we can integrate with other tools, take the data, and provide an automated response for “how efficient is the solution against the threat”. E.G – Endpoint Protection is 68% efficient against Malware.
But then we understood that only a skilled professional, that knows:
- The company inside out
- Knows how the threats impact His / Her company
- Knows after real-life testing the real-life efficiency levels of certain solutions
And only with that information can they make an accurate decision on how efficient a solution is for THEM. How much will certain solutions mitigate that company’s threats.
This is also why we separated “On-Prem” and “On-Cloud” and gave them separate TPF input values. We have seen too many scenarios in which a solution can be VERY efficient on-prem but have almost no impact On-Cloud and vice versa.
That’s why when it comes to risk decision-making, we need to give the Cyber Professional FULL CONTROL on the Decision. Of course, we can suggest based on our professional knowledge but it must be a suggestion only so the final word will always be the person who is in charge, who is responsible for the company.
Here is a screenshot of our TPF section in the Boardish wizard, you can see that YOU can decide the efficiency on-prem and on-cloud for each solution against a threat or multiple threats:
To try the TPF for yourself, sign up to Boardish completely FREE here: https://app.boardish.io/
Learn more about Boardish here: https://boardish.io/
Eli Midgal, Co-Founder of Boardish