What are the Chances?
In a complex world made up of complex phenomena, ever stop to consider what the difference is between decision-making and luck? Decision-making is not easy, yet all great leaders exemplify this quality. CEOs, Politicians, and Army Generals all seem to make quick and seemingly brilliant choices between two tough options. The right decision leads to success and the wrong to ignominy.
But what if brilliant decision making is increasingly indistinguishable from luck? If the average human mind strains to remember 7-10 digit phone numbers, how can it properly assess security, organizational, human resource, legal, and regulatory risk in a globalized and highly connected world?
Consider this: for every 1,000 random investments in security or organizational strategies, at least 1 will be amazingly profitable, mostly by sheer luck. This was the subject of Nassim Taleb's follow up to the Black Swan, Fooled by Randomness: The Hidden Role of Chance in the Markets and Life.
How then can we make informed and intelligent decisions? Other than divine intervention, the best answer is to rely on mathematical and statistical models along with computer simulation to help forecast, predict and control risk.
Scientists use mathematical and computational models to design rockets, build super tankers, and optimize traffic flow through our cities. Why would IT and Security managers do any differently to manage the extremely complex and dynamic systems of networks, firewalls, and access policies which comprise an IT infrastructure?
We should all be asking “What are the chances?” But instead of the usual meaning, i.e. “the chances are so small it won't happen,” we need to realistically assess the data and let the numbers speak for themselves. Let's assess the probability and consequence of a weak access policy, a faulty server, or an organized attack. Let's take a painstaking look at what happens if the CEO's unencrypted laptop is stolen and the plans to a billion dollar merger are released to the general public.
The probability might truly be so small as to appear negligible. But isn't it funny how those tiny chances, when multiplied by millions of dollars, always seem to work themselves out into headline news?
View All 
