May 4th 2023- Nassim Nicholas Taleb, a renowned philosopher and statistician, is known for his work on risk and uncertainty. Taleb has written extensively about the concept of asymmetry of risk, which he defines as a situation where the potential downside of an event is much greater than the potential upside. In other words, the risks are not evenly distributed.
Taleb argues that many events in life exhibit asymmetry of risk and that we often fail to appreciate the full extent of the downside. For example, the risks associated with certain financial investments, such as options, can be highly asymmetric. When buying an option, the potential loss/downside is limited to the price of the option, while the potential gain/upside is unlimited. Another example Taleb uses to illustrate the asymmetry of risk is that of a turkey being fattened up for Thanksgiving. From the turkey’s perspective, each day brings more food and a greater sense of security (upside). However, as Thanksgiving approaches, the turkey’s fate becomes increasingly certain, and the downside risk (being slaughtered and eaten) is much greater than any potential upside (continued good living).
Taleb believes that it is important to recognize the existence of asymmetry of risk, and to take steps to protect against the downside. In the world of cybersecurity, the concept of asymmetry of risk is particularly relevant: the downside risks of a successful cyber attack can be catastrophic; A successful cyber attack can result in the theft of sensitive data, financial loss, reputational damage, and legal liability. In some cases, the damage caused by a cyber attack can be irreversible, leading to the loss of customers, investors, and even the business itself.
On the other hand, the potential upside of preventing a cyber attack may be relatively small. Investing in cybersecurity measures can be costly, and time-consuming, and may not provide a direct and “visible” return on investment. This creates an asymmetry of risk, where the downside of a cyber attack is much greater than the potential upside of preventing it.
There have been 29 reported cyber attacks on local governments this year and yesterday’s attack to several Dallas-based public entities, including City of Dallas, and Dallas County is the latest one. This is believed to be caused by a possible ransomware attack by the Royal group. The City of Dallas police department’s CAD system was down and this is another example that cyber attacks at times, even put lives at risk.
In their ransomware note, the Royal group emphasized that the City has been trying to save money on their security, which shed light on the asymmetry of risk. This is clearly a mistake by the decision-makers in the City which could have been prevented by not ignoring the upside/ cutting costs on security. This was mistake #1.
Now here is the second asymmetrical risk and even more important question: Was taking down the systems (upside #2) vs. paying ransomware a justifiable decision? What if that leads to loss of lives (downside #2) which is way graver than downside #1 (the breach in the city)? Shouldn’t the affected organizations pay the ransomware in exchange for protecting the lives of their residents, which is their responsibility and the reason for their existence, or risk the lives of the residents to take the systems down and clean up everything, which may take days, weeks or even months?
(Last year The Dallas County Central Appraisal District’s operations were stunted for 72 days)
Leave a Reply