For decades, I have appreciated  Peter Sandman 's approach to outrage - the social phenomenon in which groups of people react strongly to some perceived threat, issue, concern or whatever, drawing-in other like-minded individuals via social media. The echo chamber (positive feedback loop) can rapidly escalate emotions to an unreasonable degree with a lack of reasoned, critical thinking - according to those allegedly responsible for the issue anyway.    In the case of, say, the placing of 5G cell towers in/near schools, the outraged can become furious that the risk (as they see it) is being 'callously ignored' by the equipment suppliers, site developers, authorities and scientists, and enraged that they are 'not being taken seriously'. From their perspective,  thanks to group think (social endorsement),  the  perceived   risks are portrayed and understood to be deadly serious .  Leaders within the outraged community gain notoriety, influence and personal power from

 

First, two definitions: " Certification " is the process of checking something against defined criteria, and if it passes (meets the criteria), issuing a certificate of compliance or conformity or assurance or whatever. Certification gives some assurance that the certified organisation or individual meets the criteria ... provided the certification body or person is competent and trustworthy, the checks were done properly, and the certificate itself is authentic. Hmmm, quite a few caveats there ... " Accreditation " is the process of confirming that whoever is checking and issuing certificates is properly qualified, competent and trusted to issue meaningful certificates by following prescribed processes. It adds credibility, meaning and value to the certification and issued certificates ... provided the accreditation body or person is competent and trustworthy, the checks were done properly, and the a

The last of a dozen learning points I made in a post-incident review of the Crowdstrike incident was: "Unless changes are actually made as a result of an incident, the uncertainties (risks) remain. We have missed out on a valid learning and improvement opportunity." Although I accept that nobody is obliged to learn from incidents, make changes or improve, the Crowdstrike incident was Big News when it occurred back in July, and here we are in October. So it's fair to ask what - if anything - are we doing differently now? [I'm using Crowdstrike here simply as a well-known example. Even if the Crowdstrike incident had no material impacts on your organisation, you have undoubtedly suffered various incidents, possibly something serious or critical. As you read on, by all means substitute some other significant recent incident in place of "Crowdstrike" if that helps you relate to this piece.]  A cyberattack can be a devastating event for any organization. It'

  Risk and security professionals typically believe that a company's risk tolerance or risk appetite determines whether risks are or are not acceptable. However, they seldom define the terms which are used loosely and interchangeably in practice. So what are they? If you accept ( as I previously asserted in this place ) that risk is uncertainty, risk tolerance implies a willingness to tolerate or put up with a certain amount of uncertainty, while risk appetite suggests a desire for a certain amount of uncertainty.  OK so far, but what is ' a certain amount of uncertainty '? That seems paradoxical.

Lately I've been pondering the thought that 'risk' is 'uncertainty' - it's not simply that risky decisions and activities involve some element of doubt, that they might work out extremely well or go horribly wrong, but that the lack of certainty is itself a critical factor. As well as the rational mathematical basis in probability theory and statistics , there is also an emotional aspect to uncertainty. It affects the way we perceive, prepare for and address issues. It affects our planning and capability. It can be debilitating, resulting in indecision and delay even though that may make things even worse: sometimes, it is better to make a decision now (despite the uncertainties) and press ahead in the belief that we will cope with whatever eventuates. Conversely, it may be better to delay a decision and hold back while gathering more information, building resources, preparing and aligning those involved, and considering various eventualities. Uncertainty ha

Someone who is actively involved in, or is managing, an activity is patently not independent of it. They may well make a conscious, rational and determined effort to be objective, dispassionately reviewing evidence etc ., but their subconscious/emotional biases/prejudices and beliefs/value-systems will inevitably influence what they do. With the best will in the world, they will struggle to challenge and assess their past decisions and activities, especially if they were "certain" or "determined" or genuinely believed they were "doing the right thing". Furthermore, it is very hard for anyone to review the things they did not do, decisions they did not make or options they did not even consider. Mostly, they remain out of sight or out of the question.