Quick! Tell me the right cyber risk assessment in a complex situation.

Last week a long-time client called to ask for quick cyber risk assessment. No threat of violence — but they wanted to know if their (very good) network security would effectively defend them against a known (very aggressive) cyber threat. An immediate opinion was needed. I was faced with the problem that decision makers live with especially in high-threat or violent situations.

Few problems in management are purely quantitative. Even the formulas that are used to define expected loss have squishy components. For example, the familiar

Risk = vulnerability * threat * asset value

can not be calculated without a footnote like “threat capabilities based on last year’s newspaper reports”.

High stakes decisions

All of these matters get much more complicated in high-stakes situations like international competition. The strategic forecasting organization Stratfor explained their approach in a November 16 article 1.

Quantitative predictions can be made when the numbers are clear. For example, in the case of China’s expanding naval power:

“The same case can be made for China, which has rapidly transformed from a country self-sufficient on key commodities to one that often consumes twice as much as it produces. This quantifiable change in economic dependency has driven Chinese leaders to secure access to those commodities abroad and to ensure that their supply lines remain uninterrupted.”

But sometimes numbers just don’t work.

“Another challenge in trying to use numbers to communicate confidence in a prediction is that, if they aren’t derived from quantifiable factors plugged into an algorithm, they often become ways for an analyst to just express a gut feeling.”

Violent situations have their own priorities. Some of these were described in https://esleuth.com/2016/10/18/violence-correlation-or-causation/

My opinion for the client was…

You have a 5% chance of cyber survival” I thought that this was more polite than “You will lose this battle”. The management decision made sense; in the end what they remembered was the 5%.


1 Viewing the “free” Stratfor article at https://www.stratfor.com/weekly/numeric-problem requires providing an email address. As a long time subscriber I recommend their service. With any web transaction, I recommend using an email alias that is not used anywhere else. This allows shutting off spam without wrecking your cyber life.