From Risks to Resilience
When high-consequence, low-probability events such as global pandemics and war materialises, our risk models governing information security and privacy tend to fail. Why is that?
Resilience is the ability to withstand stress, shocks, and uncertainty. In a cyber security context, these abilities are tightly coupled with your ability to detect, respond, and recover from security threats and incidents. Continue to adapt and learn, and you will become resilient over time.
However, classical thinking dictates that we should use a risk-based approach to prioritise and focus our efforts to make systems and businesses more secure. There are many methods and even professions (hello, actuaries) dedicated to this art. In its simplest form you multiply the likelihood of an event with the event’s potential impact to get a risk score. If you fancy yourself more advanced, you can do Monte Carlo simulations and play with Loss Exceedance Curves.
But the magic in the risk-based approach lies not with the method, but the way the result is used. Unfortunately, risk matrixes are often misused; to justify some singular project or effort, or it is used to communicate that risk is “within tolerance levels” – whatever that means.
Here be dragons. First, we humans are good at responding to risks that affect ourselves, but not those that impact the greater good (in this case, our business for instance). There is a risk that we miss the forest for all the trees. Second, the devil is in the details: Simpler risk methods such as the one mentioned above, which are far more popular within cyber, tend to mask nuances that are needed to make accurate predictions. And the more advanced tend to be too time-consuming and confuse those of us that do not have a Ph.D. in statistics.
And some risks need not be assessed at all. Even the most risk-tolerant of us will glance out the window and grab an umbrella before heading out in the morning if there are dark skies on the horizon. Likewise, if you are doing business online, glance out the window: What you will see is a wild west of threats, nation-state hackers and unreliable supply chains. You do not have to risk assess using two factor authentication or not. Basic cyber security is the cost of doing business in 2023.
Another problem is that the digital space moves too fast for risk assessments alone to keep up. Threats adapt to new protection mechanisms every day and develop new tactics, techniques, and procedures. Software and hardware are deployed at break-neck speeds. New tech is improving rapidly, for instance AI exemplified by large language models such as ChatGPT. The digital world “moves fast and breaks things”, your security approach should too.
Finally, risk assessments are often focused on preventing bad things from happening. A resilience-focused approach, on the other hand, encompasses not only risk management but also the ability to recover and adapt from incidents. It is about ensuring continuity and rapid recovery post-incident. Building resilient systems involves incorporating security and privacy measures that consider today’s threats.
So, what makes a resilient cyber security approach? Join Carsten Maartmann-Moe on Gold Stage at 15:30 (Day 1, Cyber Security Nordic) for further insights on how risk quantification, resilience, optimisation, security and privacy by design will help building more resilient businesses, products and services.
For more info on how to build and sustain digital resilience visit our site