Monthly Archives: February 2014

Metaphors Amuck for CyberRisk


Nagasaki, Japan 1945

PW Singer wrote a great piece for the LA Times last month, “What Americans should fear in cyberspace.” .  In the article, Singer drives home the point of the dangers and harm done of equating risks in cyberspace with historical physical and kinetic events such as Pearl Harbor and using language borrowed from the physical space — weapons of mass destruction, Cold War, etc.

By using such language, such poorly contemplated metaphors, actual risk is not communicated. Worse, misinformation (aka statements-&-proclamations-that-are-wrong) is the thread. Singer points out that instead of educating, we fear monger.

In my opinion, one reason for fear mongering with pithy armageddon-esque descriptions instead of providing education is two fold:

  • it is easier to fear monger than it is to educate
  • fear mongering titillates and sells advertising

None of this is to say that there is not a real challenge in communicating risk. There is a real challenge. As a society, we don’t have a basis for understanding this kind of risk. It’s much too new. In the shipping, financial, some health, and even sports industries, there are decades or centuries of actuarial data to work with. This industry has at most two decades, but even that is not terribly useful given the rate of change of the ecosystem and attack types.

Singer suggests studying other examples of how society has handled new (massive) ideas such as the story of the Centers for Disease Control and Prevention in public health.  This seems like a great idea. (Right now, I wish I could think of more).

“The key is to move away from silver bullets and ever higher walls … “

Singer goes on to say that cyberrisk is here to stay and needs to be viewed as a new perennial management problem. Further, we need to acknowledge that attacks and degradation will happen and we need to plan for this. Planning for this and not wishing it away is building resilience. This, I believe, is the key. And with that enduring problem come the hard decisions of dedicating resources — whether from company revenue streams or ultimately taxpayer funds.

What metaphors can we use to better educate without fear mongering? How do you think national and business resilience should be funded?

[Image:Wikimedia Commons]

Chuck Benson’s Information Risk Management Video Lectures

Slide from lectures -- Building an Information Risk Management Toolkit -- Week 9My lectures on Information Risk Management are on deck again this week in the University of Washington & Coursera course Building an Information Risk Management Toolkit.

(Use the link above & click on Video Lectures on left & then go to Week 9.  The video “Bounded Rationality” is a good place to start. Just need e-mail & password to create a Coursera account if you don’t have one).

slide from lectures -- Building an Information Risk Management Toolkit

Slide from lectures — Building an Information Risk Management Toolkit