The Unknowns of Cyber

What we know:

?Generally, our approach to cybersecurity can feel logical and organised, but there may be many well-known approaches and frameworks that we should follow.?

We tend to treat cyber security through the known knowns. And why not? They are laid out; there are precise infrastructure purchases, security devices and software, wisdom passed down, and known past issues. There seems to be a straightforward path.?

However, cyber security can be far from logical.?

There is something about uncertainty that creates paradoxes. The challenge is not always dealing with the known knowns but lies in the unknowns. This is where uncertainty rises.?

Should we worry about the knowns? Of course. Those are essential established wisdom and need to be addressed. But how do we start dealing with the unknown unknowns? Why? After all, it’s far more likely that we will need to deal with these unknown situations.?

Aircraft:?

During World War Two, Abraham Wald, a statistician working for the Statistical Research Group at Columbia Institute, recognised one of these paradoxes. There was significant damage to aircraft during the war, and a group of mathematicians developed using statistical methods to try and understand some ways to improve the reinforcement and protection of aircraft.

?They examined different ways to determine if an engine or wing was damaged or where the different holes might have appeared after being shot. However, during this process, they forgot to think of what they were seeing as the result of the aircraft that had survived and come back. While there are some logical conclusions, that is, if an engine is damaged, it’s likely to bring a plane down.

?However, was that enough information? What about the information they were not seeing? They needed information to complete the story, to know where the aircraft had crashed and never come home. To complicate things, these aircraft were most likely unable to be accessed behind enemy lines.

?This revelation started a line of thought that goes, “Hang on a minute.” Perhaps we need to look in places where an aircraft has not been damaged. Further, perhaps they needed to find crashed aircraft and examine some of those if possible. They realised that amongst all the data, the bias in the equation took them to the things they could see.

?However, what you can’t see creates more uncertainty. This is called a survivorship bias. We can draw some reasonable conclusions from these scientists’ work, such as understanding that the places that weren’t being impacted by attacks were good places to examine for locations to reinforce.

?It seems a paradox.

?Black Swans:

?There is another layer to this onion. We also need to look inside those places we don’t usually expect—those uncertainties and unknowns. But how can we deal with these unknowns? The first step in this realistically is acknowledging that these conditions exist—a type of black swan event, if you will. A black swan event is when, despite all mitigations and all reasonable controls being put into place, an unpredicted event of significance is still oddly probable to occur.

?What we don’t know:

?This tells us in our cyber security game and how we approach cyber security that in addition to dealing with the things that we know (that’s important and wise), we’ve got to be good and strong at looking for and examining unknowns. In any area that can be attacked, it should be assumed they are being attacked.

?What are those areas? It’s not so obvious. It could even involve our people. It’s those little things that you didn’t know about that are going on around you.

?For all the talk that is going on in the world of things to look for, 81% of all cyber-attacks result from human error. It’s not always clear, though, why that happens. There are psychological reasons for it. We can be highly disciplined and still make an accident. We’re human. And unfortunately, there are reasons for malice.

?Have we spent the time talking to our people? Have we spent that time getting to know where they’re at, what they’re about, and why they’re doing what they’re doing? This is the tip I want to leave you with today. The tip is to go and look. It’s to go and ask.

?It’s to lift that stone and think maybe I should ask some questions. Perhaps I should get to know my staff and their processes differently. Look at some of the pain that they’re experiencing. Ask them about old processes and procedures that have never been used or updated in a long time. Look for people who have found a better way. Look for the lazy – the lazy man is a person who has figured out a way to make their life easier. Look for those things. How do you do it?

?How we get to know:

?We’re far more likely to start closing the unknown gaps and translating them into known gaps by getting to know our people while they’re doing what they’re doing.

?We can all benefit from training to look at the technology we use daily and ask ourselves why – why do we do that?

?We can look at those situations ahead of us and say, “Hang on a minute. I’ve got some great people on my team with some great ideas. What if we’ve accidentally given our team too much rope, and they’re tangled in something that we don’t know about in our cloud resources, in our Microsoft 365 or our Google G suite? Are tools not necessarily secured as firmly as they could be?”

?How do we know if we don’t look? People like Abraham Wald think differently. They take that moment to look at these paradoxes in life, business, and our reality and look for different ways to benefit themselves and their team.

?Be creative with your team and organisation, and go asking. Look at what’s making the team successful in what they’re doing, and look for the lazy and their shortcuts along the way. They will show innovation. They will show you improved ways of doing business and building your teams. You will also have more known unknowns.

?So, go. And have a look today.

?Pssst:

?Has someone been so pi$$ed off at trying to innovate that they deploy tech that you don’t know about so they can be more productive, improve customer outcomes, and make life easier for themselves and the rest of the team? We would love to hear your examples; drop us a line!

?

OAIC – Notifiable Data Breaches Reports: Jan to June 2023

?Abraham Wald – Abraham Wald – Wikipedia

Written by Michael Meyer for M31 Consulting

April 2024

#Cybersecurity #UnknownThreats #CyberDefense #SecurityFrameworks #HumanError #BlackSwanEvents #DigitalSecurity #DataProtection #CyberAwareness #InnovationInSecurity #m31consulting #digitalleadership #digitalsuccess #staycurious