Blaming Risk Management done poorly

A recently published article references frustrations with risk management in cybersecurity. I believe these frustrations are primarily based on a misunderstanding of how risk management and, in particular, cyber risk quantification work.

The article is available here:

https://www.ft.com/partnercontent/illumio/right-into-the-danger-zone-the-false-comfort-of-risk-management.html

You can share your thoughts directly with the author:

https://www.dhirubhai.net/posts/john-kindervag-40572b1_right-into-the-danger-zone-the-false-comfort-activity-7252710831837097985-WxB8?utm_source=share&utm_medium=member_desktop

or right here responding to my own review.

The author is no one other than John Kindervag the creator of Zero Trust. I immensely appreciate his work and contributions to cybersecurity especially the ZT framework, model set of principles (or whatever you want or call it) that I wholeheartedly support. My comments are in the spirit of clarifying misconceptions and misrepresentation of cyber risk quantification.

I will quote sections of the article and share my comments on each.

“Today’s cybersecurity leaders are confronting an unprecedented onslaught of existential threats.”

“Existential threat” to whom or what exactly? Doug Hubbard would probably respond, “Hyperbole will destroy the world.”

There is no “existential threat” from cybersecurity for humanity.

Some organizations might cease to exist after a major cyber attack, but most do just fine, including the unprepared ones.

We cybersecurity professionals need to get out of our echo chambers. We have wars, famine, natural disasters, climate change challenges, and nuclear war threats. In that context, we should not talk about “existential threats” and recognize the larger context in which we operate. We are incredibly privileged and fortunate to sit here and debate on LinkedIn. We should only use that term in a minimal, clearly defined context.

In cybersecurity, there’s a pervasive term that we need to rethink: “risk management.” It suggests that we can predict the likelihood of a cyberattack.?But truthfully, there’s no way to calculate this probability amid a sea of countless attackers, techniques, vulnerabilities and hapless users.?There are just too many variables to consider.?

Sure, there is. It's called Cyber Risk Quantification. And we eat the elephant one piece at a time. We don’t look at countless attackers, techniques, vulnerabilities, etc..… but instead define particular probable loss events. We don't get paralyzed by all the possible variables and use validated models that use the variables that matter.

Cybersecurity is about survival, not statistics

Cybersecurity is about the survival of what exactly? Not defining the context is hyperbole.

I argue that our survival (as humans) relies on decisions made using statistics in domains such as healthcare, epidemiology, environmental science, food security, etc.

Statistics can inform our decision-making in cybersecurity.

The problem with risk management is that it gives us the false comfort of numbers, projections, and percentages.

Risk management helps us reduce uncertainty about our problem space to make better decisions. Accurate numbers, projections, and percentages should comfort us.?

We start believing that a breach is just a possibility we can calculate, or worse, tolerate.??

Yes, we can estimate the probability of a loss event occurring, estimate its probable impact, and decide if we can tolerate it because we have constraints and must prioritize other investments. Trade-offs must be made; we do not have infinite resources.

But cybersecurity isn’t about acceptable losses; it’s about survival.?

That’s hypebole again inline with the previously stated “existential threat”.

When a threat actor gains access to your network, the potential for harm is far beyond what any risk model can predict.

We can estimate the losses we will incur from well-defined loss events in terms of productivity, response, replacement, competitive advantage, fines, reputation, etc

I would even argue that making accurate estimates for the losses is easier than for the frequency of the loss events.

The word “danger” carries an urgency that “risk” simply doesn’t. When you sense danger, you don’t weigh the odds — you act immediately. Danger evokes a primal response that demands vigilance and readiness. This is exactly the mindset we need in cybersecurity.

What is the definition of “Danger” in an organization? Are all “dangers” the same? Do all “dangers” require the same response time, i.e., “immediately”? What does "immediately" even mean in an organizational context? Do we drop everything else we have been working on, including activities that address previous "dangers," and deal with that new "danger" instead?

Do we spend on each “Danger” we have and take budgets away from other investments like marketing, R&D, etc., and ask the board to invest it in everything the cybersecurity professionals believe is needed to deal with “Danger”?

Our brains are hardwired to react to clear and present dangers, not to abstract notions of potential harm. When our ancestors faced predators or hostile environments, they didn’t pause to assess the statistical likelihood of harm; their brains triggered fight-or-flight responses that ensured survival.

I agree, and that served us well when we lived in the wilderness surrounded by predators. However, context matters, and this is not the environment in an organization. This is classic System 1 thinking, and context matters.

I'm no expert, but I would guess that a fight-or-flight response isn’t triggered by simply using the word “Danger” in an organization when discussing cybersecurity threats. The cyber threats we face are essentially not physical and are abstract. Our brains will not process them similarly to the fear of predators because we change the terminology.

I doubt using the word "Danger" in cybersecurity will trigger any fight-or-flight response because that response has emerged and passed on through a very long process in the context of predators, etc. That will not change because of using the word "danger."

This is also a very reactive approach. Should we wait until our spidey-sene tingles to scream “Danger” and hope this triggers a response where all required resources are available to deal with our challenges? The cybersecurity problem space is complex and needs analysis, not instinct, though instinct can be beneficial in incident response situations.

Screaming danger in the board room will end up like the man who cried wolf. If nothing happens, we will have to explain how uncertainty works.

In cybersecurity, shifting the conversation from risk to danger taps into this primal instinct, encouraging organisations to treat cyber threats as immediate, existential threats that demand swift and decisive action, just as our ancestors would have when faced with a lion or a storm.

I imagine the word “danger” has been repeatedly used in cybersecurity discussions in boardrooms, interchangeably with threats, vulnerabilities, and risks. We are not very good with terminology, and I doubt it had any impact.

That’s why we must reframe the conversation and shift to a danger-based model.

What precisely is a “danger-based model”?

Imagine if organisations treated every network interaction as a potential danger, rather than calculating the "acceptable risk" of allowing a request through. This shift would force companies to invest more in threat detection, containment, and response. It would move us away from the passive approach of ticking boxes for compliance and toward the proactive stance of defending the enterprise as if it’s under constant attack — which, in reality, it is.

?I’ve no issue treating “every network interaction as a potential danger.” To get to that state, we have to make investments. Hundreds of vendors have even more solutions, products, and services. Which should we invest in, and how much investment is rationally justifiable? Is it OK to ask the board to scrap the marketing budget because we need it for cybersecurity?

?Danger management creates a culture of urgency. It fosters an environment where everyone from the boardroom to the server room understands that security is not negotiable.

How is that any different from risk management? Risk management done well creates a sense of urgency for the risks that require it.

The conversation should not be about how much risk we’re willing to live with but about how we are going to mitigate the dangers we face every day.?

Again, that is what risk management does. It acknowledges that we have limited resources and thus supports making informed decisions to allocate them better. This “Danger” model assumes that organizations have unlimited resources and that by screaming “danger,” we can allocate all infinite resources toward cybersecurity challenges.

Governments allocate budgets to health care, law enforcement, defense, etc., to address the "dangers" we face. When they do so, they acknowledge the risks we are willing to accept (or they would have allocated more resources).

?Risk management dulls that urgency, making us believe we have more control than we actually do; danger management forces us to stay sharp, vigilant, and prepared for the inevitable.

Risk management, like anything else done wrong, can cause more harm than good. However, if practiced well, it can create a sense of urgency. It also helps us focus on what we can control and identifies the areas where levels of uncertainty are high and require further insights and information.

Being "prepared for the inevitable" is more in the realm of resilience. Resilience focuses on being prepared to be unprepared; it deals with unknown unknowns. Risk management deals with unknown knowns.

?It’s not about mitigating risk, but about surviving the dangers of an increasingly hostile cyber landscape.

We survive dangers by mitigating or avoiding risks; this doesn’t change when we use the word “danger” instead of saying “risk.”

?Final words

I understand our frustration about the challenges we face in our cybersecurity problem space. However, that does not mean we should pick on poorly done practices and judge them as a whole.

That's like picking on failed Zero Trust projects and claiming that ZT is a colossal failure and that we should do something else.

Zero Trust, CRQ and approaches to create a sense of urgency can all complement each other. It isn't one or the other.

For anyone interested in learning more about Cyber Risk Quantification, I recommend the below references:

• The bestselling book "HOW TO MEASURE ANYTHING IN CYBERSECURITY" by Doug Hubbard and Richard Seiersen

https://hubbardresearch.com/shop/how-to-measure-anything-in-cybersecurity-risk-2e-signed-by-doug-hubbard/

• The best-selling book "THE FAILURE OF RISK MANAGEMENT" by Doug Hubbard

https://hubbardresearch.com/shop/failure-risk-management-signed-author/

• The Award winning boot "Measuring and Managing Information Risk: A FAIR Approach" by Jack Jones and Jack Freund, PhD

https://www.fairinstitute.org/fair-book

• The amazing work of the FAIR Institute: https://www.fairinstitute.org