The Death of Risk Management
How the era of accelerated technologies shatter our ability to calculate the probability and magnitude of future loss events.
By Eh'den Biber
Prologue
We don't listen to what we aren't ready to listen to.
Dr. David Perlmutter is a neuroscientist. His latest book, “Brain Maker – the power of gut microbes to heal and protect your brain – for life” became an instant best-seller since it was publish last month, and frankly it deserve to be because it is brilliant. In the book, Dr. Perlmutter writes about how science is starting to discover the total dependency between the microbes that lives in our gut and our mental and physical state. Obesity, diabetes, Multiple Sclerosis (MS), autism, depression, cancer – all seems to have a direct correlation to the state of our intestine flora. Today I've shown a video-clip of an interview with the doctor on the subject to the 14 years old son of my partner. He watched it with unease and when it ended he poured a huge amount of condensed milk on his breakfast, which was in total contradiction to the advise of the doctor had during the clip to avoid if possible a consumption of sugar. I looked at him, amused, and after a few minutes I heard him saying to his mum that he found that the argument of the doctor to be not sufficient enough.
This article is meant for those who are ready to accept that their perception of reality has been wrong. Like my partner's son, the majority of the people who will have the opportunity of reading this will discharge it because it will contradict their perception and be in direct conflict to what they want to hear.
The hard problem of risk management in the 21st century
Most established businesses make their decisions based on risk analysis. Risk is the probability and magnitude of a loss, disaster, or other undesirable event. Most organisations are pretty much infantile in their risk analysis and use point estimates, while only few approach it as (data) scientists, using a framework they develop modules to investigate their (big) data in order to come to a quantitative analysis.
As a lover of science I applaud the data scientists in the information security risk community. people like Jack Jones and Alex Hutton have been helping me to realise the beauty and science behind their quantitative approach and if you never heard of them I urge you to check out their activities, especially Jack's work in www.cxoware.com that was recently recognised by Gartner as a “cool vendor for risk management”.
The challenge that risk scientists face, including those who work in information security is the fact that they are fighting an uphill battle that is becoming harder and harder to win every day. To understand why it is so, let us look at the nature of risk management.
Risk management started to be studied after WW-II. The first two academic books on the subject were published by Mehr and Hedges (1963) and Williams and Hems (1964). Their content covered pure risk management, which excluded corporate financial risk. In parallel, engineers developed technological risk management models, and financial risk management evolved since the 1970s. (source: Risk management: History, definition and Critique, George Dionne).
Information security didn't really had a quantitative methodologies till the 21st century. OCTAVE (2001), FAIR (2005), ISO/IEC 27005 (2008,2011), NIST 800-300 (2011), and COBIT 5 for Risk (2013) are the most predominant approaches to information security risk management “frameworks” out there, trying to answer the obvious gap we were facing in our profession. The problem is that regardless of what methodology or framework one is using, our current state of constantly accelerated technology evolution is preventing us from being able to quantify risks. Let me explain why.
Risk, as we said before, is the probability and magnitude of a loss, disaster, or other undesirable event. Since we live in an era where technology is constantly evolving and expanding, the complex adaptive system in which the technology is part of is constantly creating emerging properties. These properties are “unknown unknowns”. No one knew Apple mobile phones (iPhone) will totally transform the market and destroy a company like Nokia (after all, Nokia ruled the smart phones market before iPhone came), no one imagined social media will make such a huge difference, and I can assure you – no one ever predicted a period in which zero days become the norm in the landscape of information security, and that everything and everyone are hackable.
The more technology is evolving, the more it is becoming impossible to provide an accurate prediction on either the probability or the impact of future events. Nassim Taleb wrote about it in his books (most notable is his book “the black swan”), and yet even after his book most risk experts refuse to accept the current state of knowledge and think that if they will put a better module, or collect more data, or perhaps change a framework they can provide a risk assessment.
In a world when every month/week we hear about a zero-day critical vulnerability or a breach (perhaps soon every week/day), the “probability” part of the risk is becoming unmeasurable, because frankly everything seems to be insecure. To make things even worse, the impact of assessment of a future event is becoming unmeasurable. If your organisation was hacked, and your data have been stolen, since this data is feeding so many other systems and it is creating so many emerging properties that are being used by so many other systems the ability to provide a real impact assessment is becoming impossible.
In the language of risk people, we live in an era where the ability to provide a probability distribution of the impact of a future event is starting to become a calculation of “unknown unknown” times “unknown unknown”. Think fractals time fractals.
I'm aware that many risk experts will disagree with me on my above statements. To those who do, let me go back to the beginning of this article and re-recommend you to read “Brain Maker”. Science got it wrong for many years because it was sure that if we will understand DNA we will be able to solve all of our diseases. It totally ignored the fact that for every human gene in your body, there are at least 360 microbial ones, it totally ignored the interconnectivity of events that occurred in the gut and their impact on the human condition. To shatter the notion that we are our DNA, it turned out that changes in the ratio of our gut bacteria can change the actual expression of our DNA. The human tendency to simplify reality so it will fit our perception of it is a natural thing, no matter how complex our calculations are, only true scientist will admit that we still can't perceive the complexity of it all.
Like my partner's 14 year old son, most organisations and people will refuse to embrace the way they live their life is destructive to them. Frankly, no one likes to know their perception of reality is being shattered in front of their eyes. Even for scientist, embracing that the current state of the system you're operating in has turned your scientific approach into proto-science is hard, and painful.
Welcome to the Chaos - Epilogue
“IF ONE SEES NOUGHT WHEN STARING INTO SPACE; IF WITH THE MIND ONE THEN OBSERVES THE MIND, ONE DESTROYS DISTINCTIONS AND REACHES BUDDHAHOOD.”
(Tilopa’s Song of Mahamudra)
“To understand Tilopa you have to move through a chaos. He will destroy all your conceptions, all your mathematics, all your logic, all your philosophy. He will simply destroy you completely. He will not be satisfied unless you are completely destroyed and a new being arises.” (Osho, “Tantra, the supreme understanding”).
Open TV and you will see ISIS performing human atrocities which are broadcast and distributed via the technologies that were developed by cultures and societies they swear to destroy. Take a look in one of the information security website and the amount of attack surfaces seems to be never-ending. Technologies that were develop to protect (e.g. auto-update mechanism of software, keychain) are being used against us.
We are facing a new era, one in which our technologies and methodologies collapse, one in which “unknown unknowns” will become more and more part of the now we experience. It is time for those of us who are brave enough to embrace the state we are in and have a conversation on what is possible for us to do next. I know how hard it is to let go of our current perception of security, I've been there. It takes real courage to face reality, and awareness is the true security we could have.
feel #COMPASSION to everyone
celebrate the now in #STILLNESS
Namaste
Eh'den
© All rights reserved, 2015