Rethinking Risk Black Swans, Tsunamis and Planning for the Unbelievable Bill Sewall, JD & CISSP (510) 275-4735 www.bsewall.com Bill Sewall, JD & CISSP • Consultant • Specialties - Information security, compliance, training and operational risk • Experience • • • • • Teacher Attorney & General Counsel CIO & COO Information Security Officer Operational Risk Officer • 25 years with CitiGroup 2 Agenda • What is a Black Swan event? • How our emotions, instincts and personal experience cloud our perception of risk • Golden Boy Syndrome • An alternate proposal for looking at risk • Black Swans and some suggested ways to approach them 3 4 5 1. It lies outside the realm of regular expectations 2. It carries an extreme impact 3. Human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable. “The Black Swan” by Nassim Nicholas Taleb 6 "There's not a doubt in my mind that you will see a spate of municipal bond defaults," Whitney predicted. Asked how many is a "spate," Whitney said, "You could see 50 sizeable defaults. Fifty to 100 sizeable defaults. More. This will amount to hundreds of billions of dollars' worth of defaults." 7 8 Annual Loss Expectancy = Single Loss Expectancy Annualized Rate of Occurrence Risk = Impact Probability Probability = Vulnerability Threat 9 10 Risk management should be a rational process. Instead, most of our daily risk decisions are based on emotion, our unique personal experiences and instinct. 11 12 What Parents Fear Most* 1. Kidnapping 2. School snipers 3. Terrorists 4. Dangerous strangers 5. Drugs 13 *NPR: http://www.npr.org/blogs/health/2010/08/30/129531631/5-worries-parents-should-drop-and-5-they-should?sc=fb&cc=fp What Parents Should Fear What Parents Fear What Parents Should Fear 1. Kidnapping 1. Car accidents 2. School snipers 2. Homicide by friends or relatives 3. Terrorists 3. Abuse 4. Dangerous strangers 4. Suicide 5. Drugs 5. Drowning 14 15 “Golden Boy Syndrome” We continually seek out leaders and role models. And we are willing to support our heroes, give them our money and let them guide us, even when there is clear evidence that they are dead wrong. 16 “When the music stops, in terms of liquidity, things will be complicated. But as long as the music is playing, you've got to get up and dance. We're still dancing.” 17 18 19 Alan Greenspan is “no longer the Man Who Knows; he’s the man who … refused to do anything about subprime, insisted that derivatives made the financial system more stable, denied not only that there was a national housing bubble but that such a bubble was even possible.” – Paul Krugman, Nobel economist. 20 “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.” Donald Rumsfeld 21 1. People exaggerate spectacular but rare risks and downplay common risks. 2. People have trouble estimating risks for anything not exactly like their normal situation. 3. Personified risks are perceived to be greater than anonymous risks. 4. People underestimate risks they willingly take and overestimate risks in situations they can't control. 5. Last, people overestimate risks that are being talked about and remain an object of public scrutiny. * “Beyond Fear”, Bruce Schneier http://www.schneier.com/essay-155.html 22 • Most of our risk decisions are based on instinct, emotions and our unique experiences, not on a rational, objective methodology. • In information security we are further hampered by the lack of: • Consistent historical data that would support an actuarial risk assessment process; and • A commonly agreed risk assessment methodology 23 You can’t calculate information security risk down to the decimal point. 24 Risk = Impact Probability 25 Risk = Impact (Vulnerability Threat) 26 27 28 Type, Frequency, Duration & Loss 29 30 31 32 33 34 35 Impact Risk Probability 36 Impact Risk Probability 37 Long Tail & Black Swans 20% 18% 16% Probability 14% 12% 10% 8% 6% 4% 2% 0% $0 $10 $20 $30 $40 $50 $60 $70 $80 $90 $100 Losses in Millions 38 How can we prepare for the unknown? 39 Rule #1. Risk is in the details. • Take care of the little things and the big things become far less likely. 40 41 Rule #2. Pay special attention to those Black Swans that you can control. • Don’t waste your time on the uncontrollable unknowns. Controllable “Great Recession” Deepwater Horizon 9/11 Uncontrollable Japan Tsunami? Meteor Strike Magnitude 10 Earthquake Alien Invasion 42 Rule #3. Pay special attention to those risks that are easily scalable. • How much would have to go wrong before a $1,000 event becomes a $1 million event? 43 44 Rule #4. When dealing with Black Swan possibilities, make your assessment of the risk very carefully. • Then throw it away and start again, because you likely made the decision based on emotions, gut instinct or personal experience. 45 46 Rule #5. When considering risks related to fraud, think like a criminal • The problem is that we invest too much of our experiences and emotions into risk assessment • Suggestion – Role play. Remove yourself from the process and think like the criminal. 47 Rule #6. Black Swans are becoming more prevalent. • A highly industrialized, technologically advanced and interdependent global economy is more prone to catastrophic disruptions than a world dominated by a handful of independent industrialized countries. 48 49 Rule #7. There are no “Unknown Unknowns.” • We know all the risks, it is just that we choose to ignore most Black Swans. • They are often just too painful to deal with. • Denial 50 “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.” Donald Rumsfeld 51