Global Security, Privacy, & Risk Management

Risk 102- Lose “A” Match but Win “THE” Game March 23, 2012

Risk management is about decisions.  Given certain information, people then make decisions that they hope will minimize the risk of a particular outcome.  This post is about risk and decisions.

Years ago I was a young Marine attending the USMC’s Amphibious Reconnaissance School (ARS).  Upon successfully passing the school I would be conferred with the coveted Military Occupational Specialty (MOS) of 0321- Reconnaissance Marine.  Recon Marines operate in very small teams conducting various reconnaissance missions to provide intelligence to the commander. The last phase of ARS training is known as “patrolling phase”.  This is where all the students put their skills to use and run back to back patrols for a week while begin graded by the instructors.

During one of the final patrols we came upon a road known in military speak as a “linear danger area” and were considering a “two man bump” and other techniques to safely cross the danger area.  After having not slept for the better part of a week my mind was a bit foggy.  I asked the instructor: “SSGT, if we apply these techniques can we be confident that we will cross safely?”  He looked at me and said: “Mark, you can do everything by the book and exactly right and still get your entire team killed.  All you can do is make tactically sound decisions and hope for some luck.”  Certainly without meaning to do so, this Marine Staff Sergeant articulated the idea of risk and risk management as well as any academic.

As discussed in “Risk 101: An Introduction to Risk”, Risk is about understanding the chance (probability) of an event occurring and the impact of such an event.

In the case above, the risk is that a recon team would be scene by a larger, more well armed enemy force and ultimately be engaged resulting in the death of the Marines.  The important thing to remember is that even if we have sophisticated statistics to estimate the probability to expect for a given event, there is still uncertainty.  Quite simply, while we may be better or worse at estimating the probability, we can never be certain as to the chance.  There are too many variables to account for. For this reason the decisions are made on a “Best guess” basis.  This is the foundation of making “tactically sound decisions”.

As stated by Terje Aven in Foundations of Risk Analysis- “The ability to define what may happen in the future, assess associated risks and uncertainties, and to choose among alternatives lies at the heart of the risk management system…”

In the case of the previous example, he teams have intelligence that give some indication of where the enemy may be.  By making decisions based upon the intelligence and applying tactically sound movements (moving at night, avoiding danger areas, etc.), the team can reduce the likelihood of being detected.  Tactically sound techniques (ensuring proper spread in the patrol, conducing leader’s recon, immediate action drills) can potentially reduce the impact should the team be seen by allowing at least some team members to survive contact with the enemy.  Even so…there is a chance that things go bad and the team is killed.  Does this mean the risk analysis and the risk management techniques were a failure?  No.

While a single team being compromised is not a positive outcome, it does not mean that the overall risk management was flawed.  At any given time there are a number of recon teams in front of the units conducting various reconnaissance missions.  If one team is compromised yet 4 teams are successful, the success of the overall mission may be considered positive.  Again, Aven succinctly describes the objective of risk management and decision making when he says:

“…that such a process of decision-making and risk-taking provides us with positive outcomes when looking at the society as a whole, the company as a whole, over a certain period of time. We cannot avoid ‘negative’ outcomes from time to time, but we should see ‘positive’ outcomes as the overall picture.”

Whether we are talking about conducting reconnaissance missions, playing poker, coaching a football game, considering security implementations, or diversify an investment portfolio the criteria for success should not be 100% success rather should be a positive outcome over a period of time.   A poker players knows that, in spite of their skill, they will lose some hands.  Payton Manning will made some terrible throws from time to time and even Warren Buffet has made some terrible investments from time to time.  In each of these examples however, the expectation is no perfection on every hand, throw, or investment rather a positive outcome over time.

This is important because in information security there seems to be a perception that companies should have infallible security.  It is simply not possible.  The goal may be perfection by the expectation should be to win over the long term even when losing some matches, throwing some interceptions, or making bad investments.