Several studies conducted in other fields showed how spending effort on analysis improved confidence even when the actual performance was not improved.
A study by the University of Chicago in 2008 tracked the probability of outcomes of sporting events as assigned by participants. These participants were given varying amounts of information about the teams, except the team’s name or players. As fans were given more information, their confidence in picking the winner increased, despite the chance of picking the winner remaining nearly flat no matter how much information was provided.
Imagine how many metrics and measures we have in cybersecurity; is your confidence level increasing or your performance on the outcome?
Don’t be so quick to accept metrics and measures labeled “best practices;” best practice does not mean it was measured and scientifically proven to be the best performer among a set of practices.
Focus on reducing risk; are your metrics and measures driving a reduction in risk to the company's mission?
Author: Dr. Bill Souza | Aug 3, 2022