Pete Lindstrom posits the question this morning, "Are freak accidents the black swan." Alex over at RiskAnalys.is takes this and runs with it, indicating that the answer is categorically "no." An interesting discussion.
Now, for those of you who are fans of high-seas adventure in the age of sail (think Patrick O'Brian), the black swan they are referring to is not the tale of "Seas Ablaze...with black villainy, with fiery romance, with breathless deeds of daring..." that might have leapt to mind. Instead, they're referring to a logical principle usually referred to as "falsifiability". What the hell does that mean, you ask?
Here's the gist: somebody makes a statement like "dogs can't look up" (apologies to "Shawn of the Dead") or "all swans are white" (apologies to Hume)... How many dogs (or swans) do I need to find to disprove those statements? Just one, right? If I find a dog that can look up or a "black swan", I can disprove the statement. Now technically all this is part of the philosophical discipline of epistemology (philosophy of how we know stuff) or the philosophy of science; epistemology pretty much says that we can't ever really know stuff (absolute truth) because we can't evaluate every possible counterexample to evaluate if a statement is universally true; the philosophy of science (always more grounded in the practical) tells us that empirical statements (hypotheses) must be falsifiable to be scientific.
All well and good, but there's a more targeted application for us in infosec. As Alex points out in "Black Swans and Zero Day", the broader discussion for falsifiability in infosec has to do with how we deal with "black swan" threats that disprove what we've previously known to be true. Example: in 1996, I could have made the statement that phones could not get worms. And that would have been workable as a hypothesis until the "black swan" (i.e. the first cell phone virus) came along that disproved it. So the question of the day is this: how do we in infosec plan for and mitigate the threats that could happen but currently don't? For example: zero day exploits, tivo-borne malware, worms that make your screen explode, telepathic phishing attacks, or any of the other infinite number of things that could potentially happen but don't. In other words, how do we in infosec deal with the black swan threat? In my opinion, we don't.
Not deal with it, you ask? That's right. You see, the black swan is a losing proposition. By definition, the black swan flies in the face of what one knows to be true. For example, consider the case of two different black swans. "Black swan #1": somebody uses a previously unknown (zero-day) exploit against Apache to own your box. Now, somebody could make the claim that you could (or should) plan for this; for example, they might argue that by using defense in depth or by using restriction mechanisms (chroot/permissions/whatever) on the box, you could increase your assurance that the platform is protected in the event of a compromise. Maybe so. But since the "black swan" is (by definition) unknown ahead of time, how many services would you need to harden? All of them? And maybe your hardening technique doesn't close the door to the exploit. What do you do next? And how much money do you spend to do this?
Now consider "black swan #2": the security guard at your collocation facility sneaks his girlfriend in and they happen to be having a picnic (against policy) right next to your corporate email server. The guard makes his move, fakes a yawn and goes for the hug, while simultaneously knocking over a coca-cola onto your email server's power supply (and redundant backup power supply.) It brings down your server. Sound far-fetched? Maybe. Is it more or less likely than the previous black swan? I don't know. Both are certainly possible, right. Both are in the universe of possible things that can happen to impact the confidentiality/integrity/availability of your firm's business. Now, maybe one example is more likely to happen than the other (arguably, I think the second one), but that's not really the point - the point is that there are infinite things that can happen. Worse yet, since the infinite list contains all previously-unknown threats, risk management becomes impossible. Risk management is about analyzing where to spend money based on the likelihood of occurrence and the impact of the outcome; black swans are about new things that we have no foreknowledge of so there is no way to fill in the first part of the equation. How do you determine the likelihood of occurrence for something that's never occurred before? I'm pretty sure you can't - at least in any kind of structured, objective way...
Anyway, that's just my two cents.
Posted by Ed at October 25, 2006 02:19 PM | TrackBackInteresting and insightful, however...
I don't think risk management of the unknown is impossible. If you're worried about analyzing the risk of something that hasn't happened yet, then you can let someone else do it. In fact, the is exactly the kind of thing you'd want insurance for, and people purchase insurance for *everything*, including say, alien abduction. See this link:
http://www.findarticles.com/p/articles/mi_m1318/is_n10_v52/ai_21136401
So, if you're worried about a specific threat, why not try to get someone to write you an insurance policy against it? Let them do the brainwork of figuring out the odds, all you have to do is decide if the cost of the policy they come up with is greater than your piece of mind threshold. Risk transference my friend!
OK, so it only helps against specific threats. But that only backs up your original point.
-FWL
Posted by: FWL at October 26, 2006 11:15 PMI really enjoyed the article!
w/regards to Black Swans: I'm starting to believe that it's risk management's (the managers, that is) job to explain the extremely low probability to other management. You have to assume event=true and losses = worst case, but having this discussion accomplishes two things:
1.) Gets senior management understanding that the risk we face is a probability issue.
2.) Prepares them for the *possibility* (but hopefully we don't use that possibility as a scare tactic).
I haven't thought this through enough yet, I'm still wondering what strategy should be for Black Swans.