Managing Unknown Unknowns: How to Navigate Cyber Security Risks in Times of Uncertainty

As humans, we are constantly trying to decrease uncertainty. However, it might not always be possible. Particularly, dealing with cyber security issues from a business perspectives is all about trying to outguess highly intelligent, inventive and creative adversaries on the one hand, and not spend a fortune on solutions on the other. In many ways, trying to develop cyber security strategy for any business is all about working with many unknown unknowns (i.e., unknowns, which your organisation does not anticipate, but it is possible to know them in principle) or even "unknowable" unknowns (i.e., unknowns, which may not be possible to anticipate in principle).

How Does Economic Uncertainty Impact on Cyber Security?

One of such "unknowable" unknowns hitting every single business around the globe this year is coronavirus. It is hard to predict what the first-, second-, and even third-order consequences of COVID19 outbreak might be. Yet, one thing is clear: the current economic slow-down will seriously affect the economy of every country around the globe, making its impact on business practices and cyber security practices will not be an exception.

One of the major problems is that considering the buzz around COVID19, it is very easy to lose focus and start taking budget cuts in areas such as risk management and cyber security. Furthermore, the problems, which existed under "business as usual" in times of uncertainty double or triple, as now business owners and executives have shrinking margins for error. Essentially, while under normal circumstances, experimentation with compliance or defence policies was possible, in the conditions of high stress and shrinking resources, each potential mistake might have detrimental consequences for the business security or even survival.

Unfortunately, the economic forecasts vary dramatically at the moment, from some experts saying that the recession will be very long and painful, to the view that recovery will be relatively fast. Obviously, the mere fact that we have these diverging opinions and prognoses in itself leads to a lot of confusion in the private sector. In turn, this causes many companies to compromise their cyber security standards, as they are now forced to focus on simply making ends meet.

What Can Be Done?

How can businesses address cyber security issues at the time of uncertainty? Under the current circumstances, in might be useful to think about cyber security risks using the below Cyber Security Risk Navigation Matrix. The Matrix maps a set of potential threats in the context of data availability (i.e., amounts and quality of data available about these threats), which allows you not only to diagnose and approximate the risk for each of these threats, but also to come up with an appropriate business response.

For example, for some potential threats (such as e.g., phishing) you might have a lot of data as your organisation is likely to face phishing threats on a regular basis; whereas for other potential threats (such as zero-day) you will have no data at all. In general, all threats which your business might be facing could be roughly divided into four types:

  • Those of which you know and have data (Mitigation threats).

  • Those of which you know and do not have data (State of Fear threats).

  • Those of which you don’t know and have no data (Blissful Ignorance threats).

  • Those of which you don’t know but have data (Under Your Nose threats).

Cyber Security Risk Navigation Matrix as presented in Pogrebna and Skilton (2019)

Now, all these threats relate to the corresponding risks, where:

  • Mitigation threats relate to risks which you can manage using a set of traditional quantitative risk assessment and risk management tools.

  • State of Fear threats refer to risks which you can insure against (i.e., you can purchase insurance if you know of those risks but it is hard or impossible to understand how big or grave those risks are).

  • There is not much you can do about risks related to Blissful Ignorance threats apart from discovering them.

  • Similarly, it is hard to do anything about risks related to Under Your Nose threats apart from detecting them.

Nevertheless, the goal is to translate all types of risks (identifies in the Matrix) into those which you can manage (as that way standard risk-management techniques can be applied to alleviate these risks). This can be achieved in the following way. In order to turn Insurable risks into Manageable risks, you simply need to collect more data about them (via organisational communication or information sharing). Risks which are Discoverable need to be better understood to become Insurable and then translated into Manageable. Risks which are Detectable could be assessed using available data to become Manageable.

Take Aways

The growing uncertainty associated with the forthcoming economic recession creates additional pressures for businesses, often resulting in suboptimal decisions about cyber security. In order to decrease the underlying uncertainty about cyber security risks (especially in times of uncertainty), planning, building, and managing techniques are useful. Yet, it is equally important to keep calm and carry on with the regular cyber diagnostics and maintenance tasks, creatively combining the learning about potential risks with the understanding of the underlying data about these risks and their magnitudes.

#cybernavigationmatrix #cybersecurity #cyberrisks #cyberthreats #datasecurity #cyberattack #hacking #risk #infosec #recession #covid19oubreak #phishing #dataprotection #informationsecurity


© 2020 by Ganna Pogrebna and Boris Taratine