Philosophical phriday - dealing with uncertainty


Lately I've been pondering the thought that 'risk' is 'uncertainty' - it's not simply that risky decisions and activities involve some element of doubt, that they might work out extremely well or go horribly wrong, but that the lack of certainty is itself a critical factor.

As well as the rational mathematical basis in probability theory and statistics, there is also an emotional aspect to uncertainty. It affects the way we perceive, prepare for and address issues. It affects our planning and capability. It can be debilitating, resulting in indecision and delay even though that may make things even worse: sometimes, it is better to make a decision now (despite the uncertainties) and press ahead in the belief that we will cope with whatever eventuates. Conversely, it may be better to delay a decision and hold back while gathering more information, building resources, preparing and aligning those involved, and considering various eventualities.

Uncertainty has implications for safety, security, resilience, survivability, stability, profitability, ethics, strategy, planning, operations and more, plus risk management of course. Conventional risk management wisdom tells us there are at least four ways to deal with risks. Given the equivalence mentioned at the start, let's see how those four approaches apply to uncertainty.

Mitigate uncertainty

  • Gather more information to analyse and understand what is going on, what has happened, what might happen (analyse, quantify, reduce incertainties/increase certainty).

  • Meanwhile, focus on the here-and-now, retaining future options and delaying strategic decisions (tactics).

  • Contain things within acceptable bounds by preventing or at least reducing the possibility and extent of unwelcome excursions (preventive controls, guard rails).

  • Detect and respond to unacceptable activities, as soon and effectively as possible (detective and reactive controls).

  • Clarify ownership and accountability, refine rules and expectations (governance).

  • Think through various scenarios and possibilities, particularly but not exclusively around the most uncertain aspects.
     

Avoid uncertainty

  • Watch for trouble ahead - identify significant uncertainties including incomplete and inaccurate/misleading information, false or unfounded assumptions, errors, biases/prejudices, malicious adversaries, monitor for changes, set alerts, alarms and indicators.

  • Don't get in to uncertain situations in the first place - look forward and around, stop, steer clear or bypass.

  • Refuse to commit in the face of excessive uncertainty - delay, gather more information, seek competent advice, explore alternatives, retain back-out/fallback options, protect escape routes  ...

  • Slow down progress or pull out of uncertain situations - limit resources, extend timescales, change tack, cut losses, shut things down.

  • Raise and act appropriately and decisively on yellow and red flags.

  • Clarify and focus on key objectives, avoiding wasteful diversions and delays.

Share uncertainty

  • Find partners with common interests and concerns, build strong relationships, establish mutual respect and trust, demonstrate support and understanding.

  • Divide and spread the load, working as a team or at least aligned to some extent.

  • Collaborate and invest collectively to build knowledge, capabilities and resilience.

  • Recognise and compensate for each other's weaknesses, deficiencies, constraints etc.

Accept uncertainty

  • Acknowledge the practical limits and (inevitable) remaining uncertainties, including projected issues and partial or complete surprises (black swans).

  • Go with the uneven flow, dealing with issues as they arise.

  • Prepare to handle further issues ahead, whether more of the same or something different.

  • Anticipate, accumulate adequate reserves and be ready to handle surprises ahead (good, bad or indifferent).

  • Accept that not everything is deterministic or causative, that some things are truly random while many more are so complex and poorly understood or controlled to appear (to all intents and purposes) random. 

  • Handle the emotional turmoil relating to doubts, setbacks and difficult decisions, both internally and affecting others involved.

  • Show leadership and resilience, pushing through or aside adversity.

  • Remain agile, adaptable and responsive.

  • Celebrate both successes and failures when probabilities hit 0 or 1.

  • Learn and improve systematically, based on direct experience and credible information from others.

In life, it is valuable or necessary to appreciate,consider and usually accept some degree of uncertainty and ambiguity. Welcome to the world of maybes.
Neither pessimist nor optimist, a realist thinks 'Maybe it will, maybe it won't. Maybe we're OK, maybe not. Maybe we're winning, maybe we're losing. Maybe we're secure, maybe we're vulnerable ...'
The trick is to deal with whatever occurs.

What else?

OK, that's my interpretation of how the generally-accepted four risk treatments can be applied to uncertainty - entirely conventional, reasonably straightforward and yet already there's plenty to think about ... but wait, there's more.

Thius far I have mostly described defensive or reactive approaches designed to reduce our uncertainties and improve the quality of our strategic planning and capabilities. In a commercial, political/national or other adversarial context, what else can be done? Here are some more offensive, proactive ideas:
  • Increase the adversaries' own uncertainties e.g. by promoting misinformation, feeding disinformation, seeding doubts (even in areas that are actually well understood and controlled).

  • Increase adversaries' uncertainties regarding our strategies, capabilities, intentions, strengths, weaknesses etc. e.g. by keeping related information confidential, by using feints, fakes, side-steps and diversions to mislead them, or by confusing them with numerous possibilities, some conflicting, some extremely worrying ...

  • Take advantage of adversaries' indecisions, delays and inflexibility by taking the lead, making decisions faster, more efficiently and effectively than them and moving ahead at pace leaving them constantly 'on the back foot'.

  • Tempting or forcing adversaries down inappropriate or suboptimal paths e.g. fomenting outrage, increased interest or intervention by the authorities, or supporting legal action against them in order to drain their resources.

  • Take advantage of adversaries' limited resilience by identifying their dependencies and vulnerabilities, and actively exploiting them.

  • Likewise with their limited information, awareness, analysis, control, governance, strategic thinking, modelling or whatever e.g. by disrupting their communications, IT systems and processes.

  • Work on adversaries' people, stakeholders, suppliers, customers, partners, advisors, regulators, owners, influencers ... by increasing their uncertainties both individually and collectively/in general e.g. by fomenting distrust, disputes and disagreements between supposed partners and colleagues, or by actively fostering the false idea that an entire industry or nation is facing a downturn or change that may be significant or devastating, in order to restrict their planning horizons, reduce and divert their investments, and set them off on wild goose chases ... meanwhile picking up on the opportunities presented e.g. by actively recruiting their demoralised workers or stealing their suppliers, partners and customers.
Such offensive strategies may or may not be unethical, inappropriate, even illegal - which adds yet another element of uncertainty. Not only is there doubt about whether they would succeed or fail, but what else might also happen. For instance, evidence or even suspicion that management may have taken an unethical or borderline illegal approach might lead to a backlash by those affected or concerned, not least those adversaries, the court of social media and assorted authorities ... hence plausible deniability and a convincing back story may be a sensible part of this.

There are implications here for risk management, strategic thinking, governance, accountability, competitive intelligence, trust, information confidentiality, integrity and availability, information quality and more - a seething cluster of issues with multiple layers and whispy edges. I'll be quietly contemplating those over the weekend ahead. How about you?

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

Philosophical phriday - compliance risk

Image
According to a vendor's promotional video interview I saw recently, the 'cybersecurity compliance burden' has allegedly become so significant that [customer] organisations are eagerly buying [their] software tools and services to help them manage and fulfil their obligations. The vendor's argument goes that, instead of accumulating a ragtag bunch of policies and other controls relating to user Identification and Authentication (I&A), for instance, it makes sense to:  Identify all the cybersecurity-related laws, regulations and standards that apply to the organisation; Examine them for any security control requirements relating to, say, I&A; Rationalise the I&A controls down to the smallest set that satisfies all the requirements - the lowest common denominator; Design, implement, use, manage and maintain those I&A controls; Have the I&A controls checked or audited to gain assurance that the compliance requirements are met.  OK so far? Sounds reasonab
Read more