Why do we refuse to abandon security processes that don’t work?
I dropped my son’s computer case in the bin this morning and it felt liberating. For some reason , I kept finding ways to rationalize keeping the gutted husk month after month. “We might be able to rebuild it,” I told myself, secretly knowing that we never would. The PC was thoroughly stripped down, the form factor was annoyingly proprietary, and history had proven this machine was a dud. Why was I so keen to hang onto it?
For context, our youngest bought a gaming PC three years ago. A well-known manufacturer  offered a competitive price on a desktop PC with good stats, a strong video card, and a killer warranty for about £700. My son worked part-time during school, saved up, and bought his first new computer right as he and his mates were getting into Steam Sales and MOBAs. He had a blast with his new machine … for about three months.
One evening, my son complained that his PC had suddenly shut itself off without warning. He was in the middle of a game when <FWOOP!> it powered down. Nothing else in his room powered off … just his PC. We installed a backup battery, and asked him to keep us posted.
The next weekend, his PC powered down again. As before, there was no warning and no detected fault. No power outage, either. The computer simply self-terminated. We updated its firmware and did some research on the manufacturer’s support forums. They suggested that software incompatibilities could crash Windows 8 and advised reloading the OS. We did. Nothing changed; the PC kept powering down randomly.
Losing your work in the middle of a project is infuriating no matter who or where you are. It doesn’t matter if it’s a friendly game or a critical e-mail … we rely on these machines to work as-designed and become incensed when they fail.
We wondered if there was a thermal management problem and found if we took the top cover off and added a desk fan to help with the cooling that it didn’t crash … as often. The little-machine-that-couldn’t still self-terminated at random intervals but might run for a half-hour first. Try as we might, we couldn’t correlate room temperature, relative humidity, running software, stock market reports, or any other factor to the crashes. Something inside the little box was prone to random existential crises.
We called the manufacturer’s warranty service and it was abysmal. They wasted our time e-mailing them system logs and running the basic diagnostics that we’d already performed dozens of times. Eventually, the manufacturer broke down and dispatched a field technician to test the hardware. The fellow was polite, professional, and personable … and couldn’t find anything wrong with the parts. He had the PC running on our kitchen table for ten minutes and called it “fixed.” It self-terminated again while the tech’s car was backing out of our driveway.
A hardware tech visited us multiple times. He replaced the RAM, logic board, power supply, and video card multiple times. Everything changed but the case yet nothing solved the problem. My son was frustrated; I was livid. This multi-billion-dollar corporation had sold us an obvious lemon and wasn’t willing to replace it with a model that worked.
What was worse, these tech support visits were costing us money. Their techs would only come out during regular business hours. Our boys were in school. My spouse and I both worked full-time. One of us had to be home for the tech to service the PC. On the third (or maybe fifth?) visit, I counted the paid time-off I’d expended and realized that we’d put more money into fixing the darned PC than it would have cost to simply buy a replacement.
“I’m going to stand here and watch you for fifteen minutes. If you don’t mysteriously power down during that time, that’s all I need.”
That was when I said “enough” and told my son that his machine was kaput. We tore it down anyway, searching for possible hidden flaws and found nothing. We eventually parted it out, and left the disassembled PC in a box that somehow migrated from my son’s room to my office. Where it sat. Gathering dust. Taking up space and providing no value for a really long time.
So, why didn’t we just scrap the garbage PC after the first failed support visit? Why did we hang on to its parts for so long? What kept us wasting our time, money, and effort on the obviously defective computer? Three words: sunk-cost fallacy.
This behaviour (also known as “escalation of commitment”), happens when people continue to pursue a failed (or failing) strategy because they’ve already invested so much time, effort, and/or loyalty to it that they feel it would be wrong to stop. My trivial PC repair quest is a relatively harmless example; the U.S. Department of Defense’s $850 million commitment to the disastrous Defense Integrated Military Human Resources System is a good illustration of how badly a well-intended program can go off the rails and squander scads of resources. When a person falls victim to sunk-cost fallacy, they (and sometimes their immediate friends and family) suffer. When a major organisation falls victim to it, lots of people suffer.
Businesses are particularly susceptible to sunk-cost fallacy, and security organisations aren’t immune. Vendors and salespeople promise miraculous results from their new products and solutions, even when the kit hasn’t been fully tested in the real world. The sales pitch is often more mature than the technology advertising. Clients buy in … only to find out after a tremendous investment of time, effort, and cash that the technology can’t deliver on its promises at all or can’t deliver without even greater delay and expense.
“Yes, of course it does that. No, I don’t actually know what that is, but I can’t imagine the product not doing exactly what you need.”
A pragmatic perspective would call for ruthlessly staunching the bleeding. Terminate the project, scrap the malfunctioning kit, and move on. People, however, tend to be more … let’s be charitable and say “optimistic” about the future. We’ve already invested a million quid in this project … we can’t just abandon it now. Sunk-cost fallacy stops leaders from doing what’s best for the company.
Sometimes this is due to a perceived loss of face; they don’t want a reputation as “the person who failed to implement X.” Sometimes it’s due to wounded pride and ego preservation; they won’t let themselves fail because of the damage it would do to their self-image. Other times it’s due to power dynamics, or promises to stakeholders, or commitments to third parties. There are often very compelling reasons to keep throwing good money after bad. However, good reasons alone aren’t enough justification to keep pursuing failure when all the signs say that success isn’t realistic.
As security professionals, we must be on constant guard against this flawed mode of thinking, in ourselves and in our organisations. Whereas other departments’ commitment to failed solutions negatively impacts production, our commitment to failed solutions exposes the entire organisation to unnecessary risk. We must be vigilant about the technologies and services running in our domain … and we must be ready to immediately terminate those technologies and services that aren’t producing required results. Take out the trash and get on with serving the organisation.
 Who shall remain nameless out of professional courtesy.