Philosophical phriday - a certain amount of uncertainty

 

Risk and security professionals typically believe that a company's risk tolerance or risk appetite determines whether risks are or are not acceptable. However, they seldom define the terms which are used loosely and interchangeably in practice. So what are they?

If you accept (as I previously asserted in this place) that risk is uncertainty, risk tolerance implies a willingness to tolerate or put up with a certain amount of uncertainty, while risk appetite suggests a desire for a certain amount of uncertainty. 

OK so far, but what is 'a certain amount of uncertainty'? That seems paradoxical.

In mathematics, uncertainty refers to probability, ranging from p=0 meaning totally impossible (something will absolutely and definitely never ever occur, not under any circumstances whatsoever) to p=1 meaning totally certain (something will definitely occur, for sure, regardless of circumstances). The nature of that something is irrelevant: uncertainty is simply about the likelihood of occurrence over a future period, which in pure mathematics can be literally infinite.

'A certain amount' suggests a definite, distinct quantity ... and here things start to fall apart. In a purely theoretical model described in mathematical terms, probability values can be determined for specific events - for example, the chances of throwing double sixes with a pair of conventional six-sided dice is precisely one sixth times one sixth, which is one thirty-sixth: once in every thirty-six throws - on average - is predicted to be a double-six. 

Notice that's 'on average' because even in a theoretical model, the actual frequency of double sixes inevitably varies in any period less than infinity due to seemingly random (unpredictable) factors such as the starting positions of the dice, the force of the throw and air turbulence. 

Even if all known factors were strictly controlled in an experimental setting (perhaps using a robot arm to throw consistently-loaded pairs of dice in a vacuum chamber with a specified and accurately-controlled force), there would still be minor variations from throw to throw that would affect the result over a given number or sequence of throws. Consistently-loading, for instance, means zero tolerance in the initial position of the dice - none whatsoever. That precision is simply not achievable in practice because, ultimately, we are trying to control subatomic particles that are not amenable to such fine control. 

Furthermore, since we do not know, for sure, what all the relevant factors are, we cannot possibly be totally sure of controlling them all. Factors such as the precise shapes and density distributions of the dice could be controlled, to some extent, by precision manufacturing and cautious handling of the freshly-manufactured dice - but notice, again, 'to some extent'. 

Good luck controlling factors such as the gravitational pull of near and distant bodies! Yes, you could conduct a given number of experimental throws within a very short period, when the planets and stars are essentially pulling the same, or do them simultaneously in parallel within a very small physical area subject to essentially the same pull, or do a gazillion calculations to determine when essentially the same gravitational effects will recur and the experiment can be repeated ... but 'essentially' is not the same as 'exactly' or 'precisely'. 

And who is prepared to assert that we know anything, for sure? There is always a remote possibility that, in fact, we have neglected some factor. We cannot possibly account for every speck of dust on every galaxy, especially as we are not even 100% sure that the universe is bounded. That remains uncertain.    

In practice, the actual variations are way more than those theoretical ones. In other words, in reality, there is no such thing as 'a certain amount of uncertainty'. Ultimately, uncertainty is inherently, inevitably and undeniably uncertain. 

OK, that's enough for now. I will probably return for more on risk tolerance and appetite at some point, but who knows? We can't be certain of that.

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

Philosophical phriday - compliance risk

Image
According to a vendor's promotional video interview I saw recently, the 'cybersecurity compliance burden' has allegedly become so significant that [customer] organisations are eagerly buying [their] software tools and services to help them manage and fulfil their obligations. The vendor's argument goes that, instead of accumulating a ragtag bunch of policies and other controls relating to user Identification and Authentication (I&A), for instance, it makes sense to:  Identify all the cybersecurity-related laws, regulations and standards that apply to the organisation; Examine them for any security control requirements relating to, say, I&A; Rationalise the I&A controls down to the smallest set that satisfies all the requirements - the lowest common denominator; Design, implement, use, manage and maintain those I&A controls; Have the I&A controls checked or audited to gain assurance that the compliance requirements are met.  OK so far? Sounds reasonab
Read more