Following from a recent post on ‘Escalation of Commitment’, a topic studied by both Economists and Psychologist, I could not resist writing a follow-up to explore the consequences for third parties that do not have the preparation and/or resources of the parties involved in scenarios of escalation of commitment in the IT security field. In the previous post, I covered the example of financial services organisations that have good risk management foundations to fend off attacks to their IT infrastructure. This is likely to divert the attention of the attackers to look for low hanging fruit in unprepared organisations e.g. easily exploitable, unpatched vulnerabilities. However, this is not the only likely scenario once an escalation of commitment has kicked in. Here are three possible scenarios: 1. Nations do not have unlimited cyber-security budgets, but can invest more in this area than most companies if engaged in intelligence operations and/or cyber-warfare against other nations. The nation under attack is likely to reciprocate by further investing in strengthening defences, diplomatic efforts and plausibly a counter-attack or series of counter-attacks. Once the defender becomes the attacker, both nations will quickly increase their investment and efforts falling into the downward spiral of escalation of commitment–all of these while their diplomats point fingers at each other! Other nations with fewer resources will have no choice but to act defensively: a widely-covered example is the government of Estonia that has built a fairly complex continuity plan that includes moving their e-government services to the United Kingdom in case of a cyber-attack from another nation. The smaller nation is not directly involved in the escalation of commitment but it is directly impacted by it. 2. Large organisations do have limited IT security budgets and, therefore, have to prioritise their projects and investments. As a result, their approach will be defensive and based in a thorough risk management process. When under attack from a nation engaged in intelligence activities, organisations are unlikely to invest in a counter offence or diplomatic efforts. Instead, their investment will be limited to managing public and customer communication and in additional remediation measures if the attack is successful. Unsurprisingly, unsuccessful attacks might raise awareness about cyber-threats but are unlikely to have a significant impact on budget allocations. In this scenario, the escalation of commitment might occur, but this will be in a more moderate scale compared to that seen in nation-to-nation cyber-attacks. 3. Finally, we are left with organisations that just don’t have the appetite or resources to invest in a risk management program, gap analysis and remediation process. These organisations are the low hanging fruit for the attackers engaged in an escalation of commitment–and the effort to exploit this position of advantage should be fairly low. However, once a nation or organisation is trapped in an escalation of commitment, can they really afford to divert resources to look for low hanging fruit? Possibly not. The investment and resources of the attacker, given the high level of investment committed so far, are likely to continue to fund additional attacks and counter-attacks. In business, as in IT security, we should write off sunk costs as soon as possible. However, the theory behind escalation of commitment says that this is not the case. In a perfect business world, we should write off, i.e. as sunk costs, a failed investment or project that cannot longer succeed. However, if we just… just hire yet another project manager and request additional budget, we might be able to turn the project around this time. Right?
