Black Swans and other things

-

Back swans and other things.

For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security.
Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security].
  1. Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question.
  2. Why, given the current situation of COVID-19, were many businesses unprepared?

The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm.

The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced simply because not all the evidence is made available or reported. In fact, it could be suggested that unless an organisation’s hand has been forced, breaches and any resulting negative activity will be kept as quiet as possible.

Does this distort the statistics that pop out? Yes, of course it does but confirmation bias leads us down the path of believing all swans are white or, not taking seriously what we don’t see [Taleb].

Following a large data breach hindsight bias leads us down the path of, we knew about this all along, so why was no action taken? CISO, you’re fired. Unless CISO is a complete numpty, they will know and will have communicated the many challenges in the information and cyber security environment, much of which is unseeable, unknown.

COVID-19, described as a pandemic [WHO], is causing untold misery at the human level as well as the business level. But, is it an outlier, a Black Swan event that was unexpected; came out of nowhere?

Figure 1 - Nothing scientific in this, just observation. Nassim Taleb’s criteria summarised to the nth degree

A top-down view suggests that pandemics are not a Black Swan events. That is to say, not all criteria [Taleb] have been met. However, when drilling down to a particular cause of a pandemic, COVID-19, it does meet all criteria [IMHO], and thus could be described as a Black Swan event. 
So, based upon this I have two thoughts:
  1. Pandemics in general are not Black Swan events. History is full of examples of pandemics. Therefore, some level [base line] of contingency should be in place. But, in this instance, the type of virus was an unknown-unknown.
  2. COVID-19 is a Black Swan, because as a particular strain of virus [all mutations considered], it is an outlier and no amount of planning for this unknown-unknown could be have been in place. The only contingencies that could have been planned for were at the pandemic level [the baseline].
What does all this mean, in my eyes at least?
The world is a slightly different place [that goes without saying really] and businesses [organisations] of any type, sector, size are going through the ringer. Some will survive, sadly many will not. Could some of the challenges have been planned for? Yes, at the higher level. Of course, this is hindsight bias, planning for a pandemic/epidemic/weather/damage to business objectives, brand/keeping the business going could all have been planned for as a base line; ensuring continuity rolls down to a granular level.
  • Now, working from home [reaction to the situation], should I use a web-based conferencing system? Yes, I need to. Everyone is using Zoom, let’s follow the trend. In the short term why not, because I’m happy to compromise the long term [John A Zachman]. Meaning, that I don’t care about the long-term security/data protection implications, I need a short-term solution, and because I cannot see the long-term negative implications [confirmation bias]. Hindsight now tells us [as it did with the Zoom CEO] that basic security measures should have been in place. Too late.
Do I need to put in place contingency for ‘a’ pandemic? Yes, that is the ideal. But I cannot see the long-term implications, so I don’t. I will simply rely upon a short-term reactive solution.

But the world is different now. Surviving businesses will look [in hindsight] one hopes at the business continuity; contingency planning; disaster recovery. But CISO [and similar] may say, hang on a minute, let’s do this the right way. At the moment we react for immediate gratification [Zachman] from the bottom-up [put in a UTM box etc.], it is now time to plan and implement top-down. 

We cannot plan for the next COVID-nn because we don’t know what it will look like [presumably]; we cannot plan for the next zero-day exploit, we don’t what that will be. But we can plan for a pandemic; for an epidemic; for the weather; for protecting the business and its brand. Top-down, and not bottom-up.

We are in this together; we always have been, it’s just that some fail to recognise their own biases that impacts upon the whole system.
  
Disclaimer:In an attempt to discover some answers, I looked at the work of Nassim N Taleb [The Black Swan 2007; and Fooled by Randomness, 2001], as well as other works based upon cognitive bias, and specifically confirmation bias; self-serving bias; hindsight bias. I can of course be accused of using various biases within my thinking; but I’m not attempting to persuade others [you], I’m simply putting down what is in my head whether right, wrong, or simply indifferent.

[NRL]



Popular posts from this blog

Personal data or PII

-
Image
PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Offic
Read more

A laptop called information

-
Image
Information asset – a laptop too far An asset is most often defined as being something of value [to the business]; a resource that has economic value. In accounting terms, ‘of economic value [to the business]’ means, a resource that has the ability to generate financial benefit [or loss].  An information asset could be defined as being a body of knowledge [information], a resource that has economic value, [benefit, or loss to the business]; where a body of knowledge is the collection of information gathered together in one or more places. For example: an information asset [a body of knowledge] that is intellectual property [IP] could be said to have financial benefit; it is has economic beneficial value to the rightful owner. However, if other parties gain unlawful access to the IP for their financial benefit, this could impact upon the lawful owner’s rights. How important then is that IP to its rightful owner?  To put it another way; if the lawful owner of the
Read more