Home  |  Sarah  |  Services  |  Blog  Contact

Friday, 15 May , 2015

Schrödinger’s Risk

Share this article

Just like Schrödinger and his quantum feline, most companies are just making assumptions about the state of their cybersecurity risks.

Everybody has at least one. It’s usually orangey red, long in the tooth, semi-regularly reported, infrequently updated and fought about annually. Like Schrödinger’s pussy cat, it’s usually in a box (4 x 4 or 5 x 5) and has known triggers that would, if activated, result in a CATastrophic outcome (see what I did there 😉 ).
For those unfamiliar with the quantum theory, here’s my version of the physics:

Schrödinger’s Feline

Slide1A cat goes into a sealed box with a vial of hydrocyanic acid, a tiny bit of fast decaying radioactive material, a geiger counter linked to a trigger and a hammer. The trigger makes the hammer smash the vial when a radioactive atom is released by the decaying isotope and detected by the geiger counter. Smashed vial = gassed cat.
Outside the box folk have no idea if they have an ex-cat on their hands. Ergo, in that version of reality, the moggy exists in 2 potential states: Fighting fit and Dodoed.
Or (if you enjoy the wonderful perspectives of Sir Terry Pratchett*), 3 states: Alive, Dead and Bloody Furious.
That set of possibilities only changes when you open the box.
Most folk, with even a passing interest in STEM, will be familiar with that and folk fiddling with quantum computing will be intimately acquainted with the implications. What blows my mind (from that computing perspective) is the fact that multiple concurrent potential results are actually observable at a subatomic level and seen to change when problems are definitively solved with available data. Consider the possibilities presented by dealing with all feasible outcomes at the same time, instead of one after another (what all traditional computers, even the cutting edge ones do now)….WOW.
There are also big and very real risks linked directly to going quantum, as Vivek Wadhwa explains here:

Quantum computing is about to make big trouble for cybersecurity

That’s as far as I go with this before my brain melts (even the man himself reportedly said he wished he’d never thought of the cat), so back to those risks.

Quantumly Entangled Risks

As I said above, you probably have at least one floating around in a box somewhere. Here’s an example (the matrix is from Peter Prevos’s excellent 2011 article ‘The Risk of Risk Management’):
Slide1Just like the eponymous feline, the state of that persistent risk is a mystery due to a few basic and very common facts:

  • It’s there because of an incident, an audit point, a compliance failing, a vendor FUD campaign or a news story that was big enough to really bother the board.
  • The quality of original assessment lies somewhere on this continuum:Slide1
  • The board, audit and your regulators demand that risks are moved from top right-ish towards bottom left-ish of the risk matrix.
  • Periodically risks get more orangey (or even orange with a hint of green!), based on some security work having been done.
  • At least once in the risk’s lifetime, a new assessment method will have been tried by you or consultants. It will have either escalated or downgraded the risk. The board will have asked why the risk changed. You won’t have been able to answer.
  • Since logging it you haven’t found any scientific way to measure and demonstrate improvement. Or in other words:

If point A is a guesstimate and no meaninful way to measure the risk has been plugged in since, the movement towards your target position (let’s call it guesstimate B), will be in increments of “that’s enough to keep them happy, but not so much they’ll doubt it”.


That (if you are honest) is the status quo. Risks in a box that could go critical at any time, but as outside observers, with no useful means to measure their status, they exist in the corporate mind in multiple states:

  1. Denial – It’s not worth worrying about, after all it’s been there for years and nothing’s gone wrong.
  2. Paralysing Fear – It ‘feels’ like horrendous pain is imminent (based on what you do know about current vulnerabilities and threats), but you can’t communicate that in persuasive enough risk terms to secure funding to do something about it.
  3. Fragile Confidence – Perception that the risk of harm is being ‘managed’ satisfactorily, but risk treatments and status updates can’t be demonstrated as making a difference. A state frequently destroyed by incidents, audit points and budget cuts.

Far From Blissful Ignorance

No matter which ‘state’ gets most political weight thrown behind it, no-one really knows and it’s the not knowing that’s the real killer. In a company with a broken culture there will be many competing reasons not to break open that risk box, but you have to. Problems cannot be dealt with until they are understood.
Robust risk assessment is still an enormous challenge (as I call out in detail here), but things are improving. Threat intelligence is getting more emphasis on the ‘intelligence’, vulnerability assessment is slowly evolving to show you business risk relevant impact and likelihood, non-technical (usually people related) threats are being given more appropriate attention, a greater quantity of better quality industry incident data is becoming available (albeit, if firms don’t pull their fingers out, just to insurers who may not be great at sharing it) and the high ‘cyber’ profile of security is bringing more money into security functions.
BUT, none of that will help if CXO level consumers of risk data ignore the Schrödinger-esque trap they are in and keep shooting messengers who give them a potentially upsetting, but utterly necessary, peek inside the box.
If you don’t take this plunge soon, someone will take it for you. Perhaps cyber insurers assessing you to estimate premiums, or regulators landing on you like a tonne of bricks, when one of those mystery boxes goes bang. In fact those aren’t your worst nightmare scenarios…trial by media, as JP Morgan, Sony, Target, Anthem, Hilary Clinton and now Starbucks know, is a whole other level of pain.


*From Discworld book 14: Lords and Ladies

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...