Risk Homeostasis Theory and the Volvo-driving Information Security Team
Throughout my career, at various companies, I’ve always worked closely with the Information Security team. It’s always been a close and strategic partnership for me. Often, they are the ones that analyze the risks and set the priorities and it is up to my team to implement the actions and serve as the first line of defense for the company’s information assets.
A number of years ago at a previous company, I worked with an Information Security team whose members almost exclusively drove Volvos. Coincidence? You be the judge.
Why Volvo?
Volvo has been long-considered as the brand that comes to mind when you think, “world’s safest car.” All of their marketing is aimed along that singular message. They even have a new campaign entitled “Vision 2020: Aiming for Zero” where they intend to have no serious injuries or fatalities in a new Volvo car.
Information security and automobile safety are two different things, but they both share a strong risk-averse attitude. Information Security exists to keep a company’s information technology and data safe and secure. Volvo exists to make automobile transportation as safe as possible without compromise.
What do I drive?
I drive cars that are old and fun. My summer ride is a 1999 BMW M3. Since safety standards and safety technology have improved over time, old cars certainly aren’t getting me the safest options. I like to have fun when I drive, so I prioritize a responsive throttle, tight handling, and a manual transmission.
What does that say about me? For starters, my risk appetite is a little higher than Volvo owners. Plus, I really expect a great driving experience. Finally, I drive older cars, not just because I like the classic style, but I like the value. All things being equal, I’d take a 15-year-old super car over a brand-new boring car for the same money, every time.
Old Race Car Dude Working with the Volvo Information Security Team
So by now, I’ve got you thinking that I’m the type of technology leader that likes to implement technology fast and on the cheap, giving security a back seat. I’ve also got you thinking that my Information Security team was slow, boring, and overly cautious.
The truth is much less dramatic. I really got along well with the team. We achieved dramatic improvement in technology capability and security at the same time.
Risk Homeostasis Theory
How is this possible? My good friend, Miles Edmundson, who was the leader of this Volvo-driving security team has a theory. It’s called Risk Homeostasis Theory and he presented it at RSA Conference in 2011. He postulates that every risk-avoidance has an offsetting risk-acceptance to achieve equilibrium.
An example of this is airbags in cars. When we drive in a car with airbags, we subconsciously take more risk while driving because we know the airbag is there to save us. Conversely, we subconsciously drive more cautiously in a car that does not have airbags. Miles does a great job of explaining this, so be sure to check it out here:
Based on this explanation, everything makes sense. The Information Security team got their extreme risk-avoidance out of the way by driving late-model Volvos. That allowed them to accept reasonable risk during their workday as Information Security professionals. Conversely, my driving old fast cars to and from work gave me the thrill I was looking for, so I could exercise more caution in the professional environment when making technology risk decisions.
Therefore, if your CISO drives a Volvo, don’t panic. That might be a sign that he or she may be avoiding risk in one area, just to accept it in another.