Philosophical phriday - why take the risk? [LONG]



If, as many security professionals evidently believe, risk concerns the possibility of harm, then surely we ought to do everything possible to reduce the possibility and/or the harm caused, by strengthening and extending security or ideally avoiding it completely by simply not doing risky things - right?

OK, so then why do we take risks at all? Why do we need security to mitigate bad stuff? Security is costly and fallible, so can't we save money by totally avoiding or eliminating risk?

Errrrrmmm  ... since it's philosophical phriday, this is an opportunity to explore the issue further, taking a deep dive. But, before I blabber on, dear reader, please take a moment to ponder this for yourself.  No, take several. Take as long as you can. Take the rest of the day off: it's phriday after all.



Why do we take risks?  Seriously, why?  



What does it mean to 'take risk'?



Grab a pencil or mouse.



Jot something down.



Think again. 



Ponder on.



Keep listing, scribbling, doodling, mind-mapping, whatever.



Have another coffee.



Review what you've got so far.


 

Try different colours.  Use highlighter.  Turn the page.



Ask a friend.



Ask the kids, or the duck, or your better-half.



Ask a robot.



Consult your favourite authors and philosophers.



Visit the oracle (if not the Oracle).



Think about different kinds of risks, different situations, differing contexts and scenarios in which risks are taken, or not.



Take a walk.



Promise yourself a treat after another 15 minutes' hard thinking.



Plumb the dark depths of your knowledge and experience for relevant anecdotes, tales and thoughts from the deep.




Dream a little. Get creative. Imagine.




If you're not exhausted and completely out of ideas yet, go back a few steps and give it another go. Lather, rinse, reveal.




If you're out of time, take a break.   Make time to come back later.




Count your reasons. Is that all?! What have you missed?  Are some of those reasons compound, composed of multiple elements? If so, might those constitute separate reasons for taking risks?  Tease them out too.




Keep at it over the weekend or however long you have left on this world. Not 24x7, but I urge you to invest more than a little brain-juice into this fundamental issue - especially if you are one of those security professionals I casually mentioned up-front.



Don't peek below until Monday at the earliest. 



If you wantonly ignore these explicit instructions and read ahead prematurely (you krazy fool you!), you might not get as much out of this little thought-exercise, but then maybe you will: that's the risk you take. 

OK, here goes. What follows is a somewhat cynical and rambling diatribe inspired by those rhetorical questions above. It's long but incomplete. It has a ring of truth, in parts, and is decidedly weird in others.

It is, <ahem> my theory.

Ready?



We take risks because:

  1. We don't always notice or consider them. They aren't necessarily obvious, especially if we aren't even looking - perhaps engrossed in something else, too busy, crossing the highway while TXTing or asleep at the wheel.

  2. We don't always appreciate their existence - the dreaded 'unknown unknowns'.  It hasn't even occured to us to look for them. They are left-field things that might blind-side us. Although the concept is dreaded, we're not scared of the risks themselves ... because they haven't entered our thoughts. Furthermore, no matter how much effort we invest, we cannot achieve perfect and complete knowledge in any real-world setting: there will always be gaps, mistakes and misunderstandings. Life is too complicated and open-ended. Risks are inevitable.

  3. We understand they may exist but we don't know enough about them to characterise or even describe them properly, hence we cannot be certain of effectively treating, dealing with, managing or eliminating them. This is the realm of scary risks. There are residual risks here that plague our risk management activities, methods, approaches and practices, and that's a worry.

  4. They may be deliberately hidden from us for some reason.  Maybe we are distracted by something shiny, or tricked into looking right through them without noticing the signs. Fraud for example. Scams. Hidden agendas. Ulterior motives. Sleights of hand. Poker faces.

  5. We understand they might theoretically be present but we don't look hard enough to see them. Perhaps we are looking in the wrong places or in the wrong way. Maybe our eyes and 'scopes are defective. Maybe we suffer from sunstrike, myopia or cataracts. Maybe we shoud remove our sunglasses and blinkers. Faced with 20/20 hindsight, we will squirm awkwardly in our seats when accused of being negligent, after they come to pass.

  6. Something else gets in the way of us seeing, evaluating and responding appropriately to them. We're constantly juggling objectives, priorities, resources and constraints. Realistically, we can't depend on perfection, so we don't really try ... we pay lip service to risk analysis And All That. We Don't Have Time For This.

  7. We see them but we underestimate them. They are more significant than we believe - more likely, more harmful or both. Our analysis is flawed. Our assumptions unfounded or mistaken. Our prejudices are prejudicial.

  8. They have changed since we examined them. They are dynamic. We are ponderous.

  9. For some reason, we believe they have grown or are becoming less significant: we feel sure the time is ripe to take the risk. Our gut tells us so.

  10. Conversely, we believe they are going to grow more significant unless we take action now, seizing the opportunity while there is still a realistic chance of success. We daren't risk delay. It's now or never!

  11. We don't care. We are reckless, if not wreck-less. We have a death-wish. We relish the possibility of failure. We don't feel we 'deserve' success. We have taken to heart but completely misunderstood the mantra "fail fast, fail often".

  12. We disrespect those around us, and don't care about those who rely upon us. We are sadistic. Although we too may suffer, we will enjoy seeing them in pain if the risks eventuate. And we are hard-as-nails, tough as an old boot. We can take it. They can't. We'll prevail, and come out of this stronger.

  13. It is part of our cunning strategy. We have not just an appetite but a raging hunger and desperate thirst for risk. We nonestly believe that challenge and adversity is the very essence of innovation and progress. We feel sorry for those pathetics who lack our insight and bravery.
     
  14. We are truly resilient, survivors, strong and robust. We believe, perhaps even 'know', that even if risks materialise, we will cope and get through it. We aren't terribly concerned about the down-sides. We see risks differently to others.

  15. We want to give the appearance of being resilient, survivors, strong and robust, able to succeed despite everything, because that's part of our approach, our brand. It will scare-off opponents, or fool them into taking the same risks unwisely. It will impress our girlfriends - and that's more important than surmounting the risks.
     
  16. We are stupid. Seriously, risks? Nah, scaredy-cats crying wolf. I'm telling you, we just had one of those once-in-a-decade incidents so we have another nine years to enjoy before the next. 

  17. And anyway, I will be long gone by then.

  18. We are in denial. Risks, what risks? Don't bother us right now, we have other More Important Stuff To Do. It can wait.  Risk management and free beer: tomorrow.

  19. YOU will take the blame if it all goes horribly wrong, while WE will take the glory if not ... and we'll also be quietly pleased with ourselves for sidestepping our responsiblities in that fashion. Bugger ethics, such is life! Suck it up!

  20. They are within our declared risk appetite. It is appropriate to take them. We have the permission - in fact we are expected or required to take them. We're a little worried that we might not achieve our risk quota. 

  21. Taking account of all the uncertainties in our risk analysis and the available information, we can justify our claim that they fall within the tolerance margin of our risk appetite. Even if they don't. And even if we have only the vaguest understanding of risk appetite and risk tolerance, and little to no explicit guidance from Above.

  22. We feel lucky. Fortune will smile on us. Our stars will align. More accurately, there is a seemingly and perhaps literally random aspect to this. Risk is uncertainty, not certainty. Besides which, we're on a winning streak.

  23. We are rational gamblers. Even if there is - or we genuinely believe there to be - a ~99% probability of a risk eventuating, the remaining ~1% might be worth taking a chance if the payoff is substantial.

  24. We might overestimate that payoff. It might not be worth as much as we thought and hoped. We might fritter it away, or discover that it simply doesn't materialise.

  25. We think we might have underestimated the payoff. We have a sneaking suspicion that the future will be even rosier than we imagined. Our thoughts are clouded by the greedy possibilty of becoming rich beyond measure.

  26. Someone has to do it.  Someone has to go first. By bravely and decisively stepping forth, we are demonstrating our courage and leadership. The lemmings sheep will surely follow. Tally ho!

  27. A little bird told us to take it. We've taken advice from Someone Who Knows. Our Glorious Leader says it's OK and of course we trust them, because they Know. They have The Power and the Knowledge. They control everything that goes on down here. They are in charge.  We are mere serfs.

  28. We have our advisor's nuts in the clamp. If things go South, we will extract our revenge and might even recover some of our costs. We will never trust each other as much again, and we'll all have learnt a valuable lesson. 

  29. This is a learning opportunity, win or lose. If we don't take the risks, we will never know how they would have worked out.

  30. We have a fallback plan, insurance, cast-iron guarantees. We have been assured that our backs are covered. So we don't particularly care about the downside. We are confident. Resolute. Bold-as.

  31. Someone else will take the hit if things don't go to our advantage, in which case it's their problem, their fault for putting themselves in that position. Our moral compass is spinning wildly.

  32. We don't learn. We keep on making the same mistakes, over and over. We are doomed, doomed I tell you. Maybe this time things will be diferent.

  33. We have been commanded to take the risks. It is not our decision to make. There is some other Higher Power in charge here. We are simply following orders.

  34. We have been given no other option. We hope that fact will become crystal  clear if it doesn't work out, or that we will at least be able to claim so, credibly. We are good at denying our part. We have a cover story in reserve, our excuses primed and at the ready.

  35. We are sacrificial goats. It is our place to take risks. We are disposable. We are nothing, cannon-fodder, chaff. We really don't matter in the grand scheme of things, and nobody cares whether we succeed or fail. We are not worthy etc.

  36. Taking these particular risks is but a necessary step in a Grand Plan. There is more at stake here than the stake. It is a strategic imperative.

  37. Our wonderful security controls might work absolutely perfectly, eradicating the risk. They might be perfectly engineered, designed, implemented, used, monitored, managed, maintained. They might prevent any occurrence, or completely negate any adverse consequences. Pigs might fly. 

  38. Pigs do fly! I've seen it for myself! I have boundless faith in my decision-making capability and the competence of me and my colleagues. We not only follow best practices, we practically invented them. We are self-assured, brazen. We are not over-confident, just confident, supremely confident. We know this is going to work out ... having utterly convinced ourselves.

  39. We have laboriously and painstakingly analysed and addressed all possibilities, both individually and in permutations and combinations. We have engineered the entire system to bring everything under our absolute control. We have sought assurance from the very best in the field. We have not spared the horses - it can't possibly go wrong after all we've done to ensure it will work out.

  40. Or at least, that's what we're telling our stakeholders, because that's what they want to hear. Despite our lingering doubts, we present a strong case.

  41. We are genetically programmed to do so. Risk-taking is literally coded in our DNA. We take risks to live, prosper and procreate because not taking risks means death for us not just as individuals, but as a species. 

  42. We have to: there really is no other choice. Even if we successfully avoid the particular risks on the table, there will be others. Not taking risks is risky! Taking - as in reacting to and addressing - risks, is itself risky. We might do the wrong things, do them wrong, or be wrong about the risks we're attempting to take. Although we will probably criticised or sanctioned or sniggered-at for taking risks if harm eventuates, being called gutless or meek is no fun either. 

Enough already. I'll stop there at the magic number 42.

What have I missed? What else is on your mind-doodle-thing? 

Now, tell me again that security is The Answer to risk. See if I believe you this time.