Possibility is a binary condition – either something is possible, or it’s not – 100% or 0%. Probability reflects the continuum between absolute certainty and impossibility.
Too often in my career, I’ve encountered executives and others who view the information security profession as being paranoid and full of “Chicken Littles proclaiming that the sky is falling.†Unfortunately, this perspective is generally well founded. We’ve tended to speak in terms of “it could happen†(possibility) rather than in terms that describe the probability of something happening.
The simple fact is that risk is always a probability issue. Consider the difference between playing Russian roulette with a standard six-cylinder revolver versus a semi-automatic. The possibilities are equal with either handgun – i.e., it’s 100% possible in both cases that the player would suffer a “negative outcome.†The probabilities, however, are significantly different. In the first case, assuming the revolver is loaded with a single bullet, the probability of a negative outcome is about 17%. In the second case, assuming a single bullet is loaded and chambered in the semi-automatic, the probability of a negative outcome is about 100% (it might, of course, misfire). Clearly, I’d rather not play the game at all, but if I had to choose between the two weapons, I’d much rather base my choice on an understanding of the probabilities, as opposed to just the possibilities. Decision-makers want and need the benefit of this same quality of information.
The natural concern, of course, is how we’re supposed to determine probabilities when there’s so little empirical data regarding information risk. I’ll go farther than that – not only is there very little information risk data, most of the data we do have isn’t credible. Here’s why. In order to establish credible conclusions from data, the data has to be reasonably accurate, current, and statistically significant as a sample. In the information risk realm, the accuracy of existing data has to be seriously questioned because it can’t be normalized against a standard taxonomy (i.e., because of our terminology challenges, one person’s “vulnerability†is another person’s “threatâ€, etc.). This absence of a taxonomic framework also presents a significant challenge due to the sheer complexity and variety of our risk landscapes and the fact that the data we have today doesn’t include details regarding the contributing factors for risk. For example, the annual CSI/FBI survey doesn’t describe what specific conditions existed within the companies that did or didn’t experience loss due to hacking. Consequently, we can’t know whether common contributing factors existed in those companies that experienced loss, versus those that didn’t experience loss. Furthering our challenge, the components within our risk landscape change so rapidly that the useful lifetime of data can be a problem.
An absence of good data doesn’t relieve us of the obligation to deal with information risk as a probability issue. It’s worthwhile to point out that non-data driven analyses have been successfully adopted for various applications, including medical diagnosis, missile targeting, rocket engine control, and marketing and investment, to name a few.
next:Â On Being Wrong
Leave a Reply