Photo Credit: cheroberta123 via Compfight cc
The story about thinking about the future like a turkey has been told many times since its inclusion in Bertrand Russell’s Problems of Philosophy (1912). In a few words, it describes a bird at a turkey farm that gets used to being fed every morning at 9. The turkey observed this was consistent over time and was able to infer that it was “always” fed at 9. However, just before Christmas, instead of being fed it had its throat cut.
Therefore: You cannot predict the future from observing the past.
Another bird story is told by Nassim Taleb in his 2007 book “The Black Swan” in which he discusses events so rare and unlikely that they are, in fact, unthinkable – how could you imagine a black swan when you knew for certain that swans are always white (as was the case until the exploration of Australia)?
But how many of us examining information systems risk based on what we are familiar with (like the turkey), ignore the very unlikely and fail to consider the unimaginable (Yes: a logical inconsistency).
Risk is defined as the effect of uncertainties on objectives (ISO 31000). However, we forget at our peril that risk is in the future and that we do not appear to accept that our track record for making predictions is not good…
Risk management has a clear purpose: identifying, assessing and prioritizing the effect of uncertainties and how to use limited resources to control the likelihood or impact of unfortunate events. It considers three elements: Threats, Vulnerabilities and Impact.
Threats have three distinct sources: Forces of nature: there are large amounts of data on such events. We know they will happen but have no means to predict when. Then there are Accidental human actions: Albert Einstein said that the different between Genius and Stupidity is that genius has limits. You can rely on this. Finally, there are Deliberate human actions: Unpredictable in in terms of “who”, “when” or “how” and, at the same time, the most likely threat to information systems and technologies.
Vulnerabilities are, in theory, manageable – assuming you know what they are – unfortunately there are such things as Zero Day events. Even when you know what the vulnerabilities are (technical and human) it takes leadership, determination, time and resources to address them. Besides,
No evidence of vulnerabilities is quite different from evidence of no vulnerabilities
Impact presents another forecasting challenge as it depends on too many factors (nature of the incident, it’s duration, it’s effect on end users and customers, etc.). We are reduced to a simple (if not simplistic) framework of green, yellow and red boxes based on known facts and ignore “Black Swan” events. The latter could lead to catastrophic risk.
Is Risk Management worth the effort? – Absolutely YES – on two conditions:
Recognition of the limitations of the qualitative methodologies applied to information risk as these turn such assessments into essentially “informed guesses” reflecting the knowledge and bias of the assessors.
Awareness that Black Swan events can happen and, when they do, have a catastrophic on information systems, particularly those supporting critical infrastructures. Worse still, Business Continuity Plans may not help in these situations. This is more than enough reason to act NOW!