Plan B Risk Specialists – Full Course Training Program
A free 10-minute video course accompanies this Introduction, covering the entire Plan B Risk Training Program: An introduction to Risk, the Asset Propensity Risk methodology, why it works, and how to transform your risk management programs into using the Plan B Risk Specialists approach and leverage your already existing risk practices, IT control frameworks and compliance artifacts. Focused on demonstrating the SIMPLICITY and POWER of asset-based risk management.
Introduction (What is Risk?):
IT Cyber Risks exist... ALL are unpredictable, with many possibly anticipated, events i.e. attacks or incidents that violate the classic security triad of Confidentiality, Integrity, or Availability. A primary example is unauthorized access (to cleartext data)).
So how should a risk professional calculate this risk? Don't. It cannot be calculated directly (mathematically) as a matter of epistemological law. This is true because calculating probabilities of future events is just not possible unless you are playing a (video) game (in god mode)… and past events in the real world cannot predict future events. Furthermore, calculating probabilities is subject to DISASTROUS under / miscalculations such as false negatives, and essentially, it guarantees the creation of asset exposures to ruin scenarios. In the cyber ecosystem of information technology, there is no need to try to use any risk or threat model that uses probabilities in any manner, or to pretend that it works (in retrospect), because doing so is simply futile and would be self-deceiving, to believe that anyone can measure cyber risk or IT risk directly. However, the salvation, if not GREAT NEWS, is that RISK CAN be measured, it can be measured indirectly, specifically, and only by comparing assets to each other.
Why can't we measure it directly?
IT and cyber ecosystems are in the realm of social science. Social sciences involve human beings as agents in the system under study. Therefore, any system, cybernetic or computing, that involves a human being (as a user or creator) will be dynamically complex, irrational and unpredictable, due to free will and human design imperfections. This then means that all events stemming from a social system are also complex and unpredictable. The world, in short, is not a game. It is a social science and events i.e. surprises happen all the time, they’ve happened historically, and they will continue to.
Any event that has any marginal or nominal involvement of a human being means that that event's probability generator is unreliable, if not unknown and unreliable (specifically, the generator is a combination of irrational, unpredictable, and influential, factors, and simultaneously open to coersion and manipulation of (also) unknowable influences and factors)).
What is a probability generator?
Every event that happens in life, when you study it in retrospect, its analysis leads to a common question and concept of what the probability for that event was, prior to it having taken place and for it to actually occur. In other words, the manifestation or actuality of an event actually happening in reality is either unknown or known, and depending on the observer, YOU, or God mode, with all knowable knowledge of the past and the future, that probability of the event taking place is/was 0 or 1 or unknown.
If God knows a future event will happen then the probability is 1 (or 100%) for that event. But, for anyone else, knowing that an event will occur for sure is always less than 100%. Frankly, the only real knowledge in this world is knowing that something has failed or just hasn’t happened yet…
An argument can be made that certain events are fairly predictable or predictable enough with confidence, say with 80 or 90% assurance (which means the event reliably took place 900 out of 1000 times when YOU betted (had a stake) that it would happen).
And this is true. But to guarantee this 90% probability, the event itself would need to belong to a class of events where there are strict rules or real physical controls in place which prevent deviation and prevent surprises i.e. unknown risk from manifesting. The only class of events whereby the probability generator is consistent and conforms to an expectation of predetermined probabilities are games (casino / computer / virtual) and mechanical fault tolerant machines (made of steel).
But here, our focus is on IT security, privacy and cyber risks...
It should be clearer that since cyber and IT involve People, that there is then a bona-fide human agent involved in the manifestation of an event, and its probability of occurrence (typically in the form of a human operator being performing, executing, or delivering an IT or business process or service).
In this realm of cyber and IT, the probability of an event taking place is not 1% or 100% (although it is certainly desired often enough), and the only truth for that event ever taking place reliably is that it is unknowable and unpredictable, in short, unknown.
Additionally, if not critically, the probability of an event taking place matters less and does not really matter (at all) since we've forgotten to disclose that the IMPACT of an event matters more... in fact, non-linear and exponential impacts which were never ever considered as possible MUST always be considered by a risk professional, it, surprises, must be top of mind, and be the largest, most important, driving force behind any risk estimation or discussion of risk, such as prioritizing assets and exposures subject to unknowable risks and events (typically adverse ones).
The impact of an IT cyber event is what matters, NOT the probability or estimation of an event taking place. Knowing that an event or that its probability generator falls into one of the Four Quadrants or Classes of Risk Decision-Making is knowledge enough (all that is needed) regarding the probability for any IT or cyber security risk event.
What is a Fourth Quadrant?
See the following for a full explanation:
Side note:
Most IT processes and cyber operations are designed with a desire to be guaranteed, or to have Non-Repudiation. However, the best that can ever be achieved is something along the lines of 99.9999% reliability, and all risk models should be aware that the probability of success or failure or of a future adverse event is, in fact, unknown.
Inquire further here for a separate, but related, discussion regarding Non-Repudiation (NR) Systems and how to use the concept of NR and NR-principles in the formation of secure system design for Internet, Social Media, Government or Banking Applications.