(Originally published on LinkedIn September 10th 2014)

About a year ago I had the opportunity to conduct some security assessments at a partner’s facility deep in the rain forests of Brazil. While I was there I was given a very unique opportunity and that was to not only take a cruise on the Amazon, but to actually swim in the confluence of the waters of the Rio Negro and the Solimoes where the Amazon officially begins.

Swimming in the confluence of two rivers is probably not the smartest thing to do - especially in the Amazon. Not only do you have unpredictable currents and eddies but you are likely to have predators lurking there to take advantage of the food sources coming out of each river.

At this stage most people think I’m crazy for doing such a thing. Honestly I’m not one of those guys who likes high adrenaline activities like bungie jumping or hand gliding so why would I do something like this?

Honestly it was an opportunity that I didn’t think I’d be presented with again so when I weighed the opportunity versus the risk I decided that it was something that I’d regret if I passed up the chance.

So why am I telling you this story? Well, I was reading a recent article on Harvard Business Review entitled 9 Habits that Lead to Terrible Decisions. We, as Information Security Professionals, live in a dynamic world that is never static. With active attackers, malicious insiders, and non-security savvy users it is inevitable that security incidents will happen. Even if we were able to identify each and every possible way our security systems could fail, we simply can’t afford to address all of them and therefore tradeoffs need to be sought. This is our classic risk equation.

Much like my little dip in the Amazon - we weigh the known facts, determine the likelihood of bad things happening, factor in the reward for taking the risk, and make a decision on the best course of action to take. If we are right then we reap the reward for taking the risk. If we are wrong we need to figure out how to react and then need to critically evaluate what happened that lead to the incident. In my experience incidents are almost always the result of an improperly designed process and not necessarily the failing of a specific individual or technology - they are but surface symptoms of a deeper flaw that if left unaddressed will open the door to more incidents.
That brings us back to the 9 Habits that Lead to Terrible Decisions. While this article is written for business leaders and not specifically those of us in the technology field, there are lessons we can learn from them. I’ve boiled HBR’s nine habits down to four based on both my own experience conducting “after action” analysis into process failures and added some questions that you can ask yourself as part of your decision making process.

• Remaining locked in the past
• “Am I actively checking and verify the facts as they are and not relying on old information?”
• “Am I basing this decision on assumptions that I haven’t verified recently?”
• “Am I stuck in a ‘we have always done it this way’ mode?”
• “Am I being resistant to exploring alternatives that may work better than what we are currently doing?”
• Indecisiveness
• “Am I stuck in information paralysis?”
• “Am I too dependent on information from others to act independently and make a decision when necessary?”
• “Am I missing an opportunity and making a timely decision due to delays or constantly changing data?”
• Having no strategic alignment
• “How does this decision support my organizations overall goals and objectives?”
• “Have I clearly articulated that in sound and verifiable business terms with people outside my department and gotten their support?”
• “Have I reached out to garner input from the appropriate stakeholders and allow them some influence in determining the solution?”
• Not anticipating unexpected events
• “Have I developed contingency plans in case something goes wrong?”
• “Have I build in extra time in the process to verify that the quality I’m seeking is indeed being delivered?”
• “Have I brought the right expertise to bear on the problem to reduce the likelihood of unexpected consequences?”

Tags: information security, paralysis, analysis paralysis, alignment