text

The Risk of Bad Incentives

text

Between 2005-2008, guerilla groups in Colombia destroyed more than 200 electrical towers. This wasn’t exactly new, but the number of attacks had skyrocketed, and police began to notice a strange pattern. Virtually all the destroyed towers were in the same region, belonged to the same company, and had nearly identical (easy‑to‑fix) damage patterns. And oddly, the attacks only happened on weekdays. An investigation eventually determined that Electroservicios, a company with an exclusive repair contract for the region, was paying guerillas $8000 to destroy towers, which they in turn received $75,000 to repair. And why only on weekdays? So Electroservicios didn’t have to pay overtime to repair crews.

Perverse incentives are a challenge in many industries, but maybe none more than security. After all, the very issues that security organizations and professionals aim to prevent are, it could be said, good for business. While sabotage incidents like the one in Colombia are surely rare, the use of fear, uncertainty and doubt (FUD) is not. The security industry even has its own section on the FUD Wikipedia page.

Business leaders working with in-house security teams and security leaders hiring vendors face the same challenge: how to eliminate FUD and achieve right-sized security. In our experience as leaders in demanding public and private sector environments, there are some best practices to combating the bad incentive structures inherent to security work:

  • Quantify the risk: Leaders should be able to understand the tradeoffs of security decisions. Security is a spectrum, and as professionals we make risk based decisions every day. By providing leadership with options – and their associated benefits and drawbacks – we allow them to make informed decisions.
  • Prove the impact: Impact metrics can be elusive in security. How do you capture the impact of incidents that didn’t occur? But true professionals leverage data and analytics to show the value of their work. Before a program or initiative even starts, make sure the success measures are clearly defined, then use them to hold teams accountable.
  • Incorporate diverse opinions: Security professionals have a security mindset. That mindset is essential to assessing and mitigating risk, but it can also create tunnel vision. Insights from business leaders and non-security stakeholders can help identify balanced solutions to complex problems.

PRG was founded on the principle of right-sized security. We work with growing companies to provide lightweight security aligned to their needs, and we help large established companies deliver comprehensive security with efficiency and impact. No FUD here.