jump to navigation

“Unforeseeable” Is the Wrong Word- What Camp Mystic Teaches Us About Risk June 4, 2026

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , , , , , , ,
1 comment so far

There have been some heated debates online about Camp Mystic. For those who don’t recall, Camp Mystic was a Christian Camp that was flooded in July 2025 and took the lives of 27 people including 25 young campers. In reading some of the comments from people, I am dismayed at the defense of the safety officer. In fact, many people online simply said we “should forget about it and move on”. That is irresponsible. Accountability is key to prevent this from happening again.

More disturbingly is the basic lack of understanding of ‘foreseeability’ and ‘risk’. This brief blog post is intended to explain, in laymen’s’ terms, how risk management applies to Camp Mystic and how this could have been mitigaged.

On July 4, 2025, floodwaters from the Guadalupe River swept through Camp Mystic, an all-girls camp in the Texas Hill Country. Twenty-seven children and counselors died.¹

In the aftermath came a word I’ve heard after nearly every preventable tragedy in thirty-five years of security work: unforeseeable. A local official captured the mood when he told reporters they had “no reason to believe” the flooding would be anything like what happened.¹

I want to take that word apart, because it doesn’t hold up—and understanding why it doesn’t hold up is one of the most useful things an ordinary person can learn. You don’t need an engineering degree. You just need to understand what risk actually is. The mistake at the heart of “unforeseeable” isn’t a Texas mistake or a summer-camp mistake. It’s a thinking mistake, and juries, executives, and well-meaning people make it constantly.

Risk Is Just Two Things

Most of us use “risk” as a fancy word for danger. It’s actually simpler than that. Risk is two things multiplied together: how likely something bad is, and how bad it would be if it happened.²

A paper cut is likely but trivial. A meteor strike would be catastrophic but is almost impossible. Neither keeps us up at night, because in each case one of the two numbers is tiny. The situations that demand real attention are the ones where both are meaningful—things that can plausibly happen and would be devastating. A camp full of sleeping children beside a river known to flood is exactly that.

Here’s the first thing worth understanding clearly: flooding is a natural hazard. Unlike a burglar or a hacker—who studies your defenses and adapts—a river doesn’t scheme. It behaves according to rainfall, terrain, and history. That makes flood risk one of the most predictable risks there is. We have decades of records, known flood maps, and a National Weather Service that issues warnings hours ahead. So the usual excuse offered after a surprise—“no one could have seen it coming”—carries almost no weight when the hazard is a river that has flooded the same valley for a century.

You Already Think Like This

Before we go further: there’s a good chance you’re already an expert at risk and don’t know it.

For years, teaching risk to people with no background in it, I’d tell a room full of parents: mothers are some of the best risk managers alive—they just don’t know they’re doing it. That got puzzled looks, so I’d walk them through it.

When it’s cold out, what do you tell your kids before they go outside? Every time, the same answer: put on a jacket. Why? “Because I don’t want them to get sick.” So I’d push a little—they can’t get sick unless they’re cold? “No,” they’d say, “but there’s a greater chance if they’re cold.”

That, right there, is risk management boiled all the way down. She spotted a hazard (cold), judged that it raised the likelihood of a bad outcome (illness), weighed the consequence, and put a control in place ahead of time (the jacket). She didn’t wait to see exactly how cold it would get, or whether this particular child would actually fall ill. She acted on the category of risk, in advance, with a standing rule.

Hold onto that, because it’s the same move that should have protected the children at Camp Mystic—and the same move whose absence is the whole story.

“Foreseeable” Doesn’t Mean “Predicted to the Inch”

This is the most important idea in this piece: foreseeability is about the kind of event, not its exact size.

When people call the Camp Mystic flood “unforeseeable,” they’re quietly swapping two very different claims:

1.  “We didn’t know a flood could happen here.”  This is false. The camp sits in a region locals literally call “flash flood alley.” The river had flooded before—including a deadly 1987 flood on the same stretch of water that killed teenagers being evacuated by bus.³ The hazard wasn’t just known; it was famous.

2.  “We didn’t expect a flood this severe.”  This may well be true—and it doesn’t matter. The exact height of the water is never known in advance. But you don’t need to predict the precise crest to know what to do.

Think of a smoke alarm. When it goes off at 3 a.m., you don’t lie in bed calculating how large the fire is or whether it’ll reach your bedroom. You get everyone out. The alarm tells you a category of danger exists; your response—leave the building—is the same whether the fire turns out to be small or total. Flood warnings work identically. Once “dangerous flooding is possible here” is established, the correct action—move people to higher ground—doesn’t change based on the forecasted number of feet. The warning triggers the action. The water’s eventual height does not.

That’s why “we didn’t expect it to be that bad” isn’t a defense. It’s an admission. It means someone decided in advance how bad a flood would have to be before they’d act—and then bet children’s lives that the real flood would stay under that line. It didn’t.

The “It’s Never Happened Before” Trap

A second common defense is some version of “we’ve been here for decades and never seen anything like it.” This sounds reasonable. It’s actually one of the most dangerous errors in all of risk thinking, and it has a name: the base-rate fallacy—treating “rare” as if it meant “won’t happen.”

Rare and impossible are not the same thing. A once-in-a-century flood doesn’t politely wait a hundred years between visits; “once a century” just describes its odds in any given year. It can arrive next Tuesday. And how often something has happened in the past is a separate question from whether you should be ready for it.

A rare-but-catastrophic event is precisely the kind you must plan for in advance, because—unlike a common nuisance you can learn from over time—it gives you no second chance. You don’t get to practice surviving the flood that kills the children. You get it right the first time or you don’t.

Responsible planning aims at the credible worst case, not the typical case. This isn’t paranoia; it’s the ordinary standard we apply everywhere lives are at stake. Hospitals keep backup generators that sit unused for years. Planes carry life vests for water landings that almost never happen. We don’t call those measures wasteful when the emergency finally comes. We call them prudent.

What the Record Actually Shows

The strongest answer to “unforeseeable” isn’t an argument at all. It’s the timeline.

Two days before the flood, on July 2, a state inspector reviewed Camp Mystic and confirmed it had a written disaster plan—including instructions for evacuating campers and emergency duties for each staff member. The camp’s director signed that report.⁴ Then the warnings came in stages: a National Weather Service flood watch on July 3, a flash flood warning in the early hours of July 4. According to the state’s own investigation, the director was receiving alerts on his phone overnight and grew concerned about the rising river before 2 a.m.—yet no evacuation of the children was ordered.⁵

Here’s the fact that collapses the defense entirely: you cannot claim you never imagined a danger that you had formally written a plan to survive. A disaster plan for floods is, by definition, an admission that floods were foreseeable. The failure wasn’t a failure of knowledge. It was a failure to act on knowledge already in hand. A Texas legislative investigation reached the same conclusion, finding the deaths preventable and the failures beginning “long before” the river ever crested.⁵

Why This Matters

There’s a fair objection here: after any disaster, the warning signs look obvious. Psychologists call it hindsight bias—the “I knew it all along” effect.⁶ It’s a real danger, and it’s why we shouldn’t blame people for missing subtle, ambiguous signals that only became clear afterward.

But that’s not what happened here. The signals weren’t subtle. There was a written plan naming the exact danger, official government warnings issued in advance, and a director awake and alarmed at the river’s rise. None of it is reconstructed after the fact. Hindsight bias protects people who faced a genuine fog. It doesn’t excuse those handed a clear warning and a ready-made plan who didn’t use them.

I learned long ago, working maritime security, why this distinction matters so much. A ship’s captain once told me, “Every safety measure we have is written in blood.” Every rule in his manual existed because someone had already died learning the lesson. That’s what accountability is for—not to punish the grieving, but to make sure the lesson gets written down once, so the next set of children doesn’t have to pay for it again.

“Unforeseeable” is the wrong word for what happened at Camp Mystic. The honest words are harder: the danger was known, the warnings arrived, the plan existed—and the gap was between knowing and acting. That gap is not an accident of nature. It is a decision. And decisions, unlike floods, are something we are responsible for.

References

1. ABC News. (2025, July 7). At least 27 dead at Camp Mystic as officials say they were caught off guard by the storm. Retrieved from https://abcnews.go.com

2. Kaplan, S., & Garrick, B. J. (1981). On the quantitative definition of risk. Risk Analysis, 1(1), 11–27. https://doi.org/10.1111/j.1539-6924.1981.tb01350.x

3. The Texas Tribune. (2025, August 14). After a 1987 flood killed teenagers on the Guadalupe River, Texas officials took little action. Retrieved from https://www.texastribune.org

4. Associated Press. (2025, July 9). Texas inspectors approved Camp Mystic’s disaster plan two days before deadly flood, records show. Retrieved from https://apnews.com

5. Associated Press. (2026, April 28). A timeline of key events in the deadly flooding at Camp Mystic in Texas. Retrieved from https://apnews.com

6. Fischhoff, B. (1975). Hindsight ≠ foresight: The effect of outcome knowledge on judgment under uncertainty. Journal of Experimental Psychology: Human Perception and Performance, 1(3), 288–299. https://doi.org/10.1037/0096-1523.1.3.288

MY LATEST BOOK RELEASED! “The Science of Security” May 16, 2026

Posted by Chris Mark in cyberespionage, cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Piracy & Maritime Security, Risk & Risk Management, security, security theater.
Tags: , , , , , , , , , , ,
add a comment

Announcing Scientia Securitatis: The Science of Security

After 34 years across nearly every security domain that exists — armed physical security at an overseas critical installation, combat force protection, security in a regional hospital’s psychiatric ward, payment-card industry compliance, armed maritime contracting off the East African coast, and a return to enterprise cybersecurity that has occupied the past decade — I have written the book I wish someone had written when I started.

Scientia Securitatis: The Science of Security — Theory, Frameworks, and Practice is available now.

The gap this book is intended to fill

The security profession does not lack books. Walk into any bookstore, scan any conference vendor floor, search any retailer’s security category, and you will find more material on cybersecurity, physical security, risk management, military theory, criminology, intelligence analysis, and organizational resilience than any single practitioner could read in a career. The field is overwhelmed with information.

What it lacks is integration.

Each security domain has developed its own vocabulary, its own frameworks, its own bestsellers, its own consultants. Each domain — when traced carefully to its analytical roots — is reaching for the same underlying concepts the next domain over named differently. Practitioners in physical and cybersecurity are working on the same analytical problems and rarely speak to one another. When they do, they discover that they have been duplicating each other’s work for decades.

Scientia Securitatis is an attempt to make that recognition the starting point of professional practice rather than an accident a few practitioners stumble into late in their careers.

What’s in the book

The book runs to 525 pages across 11 chapters and three appendices. It develops four original analytical frameworks:

  • The Mark Heptad — a taxonomy of seven adversary motivations (financial, espionage, war/defense, facilitation, hacktivism, revenge, nuisance) that maps directly to deterrence strategy
  • The IMCM Framework — Ignorance, Mistake, Complacency, Malice — for classifying human-induced vulnerabilities and matching them to specific interventions
  • The DIVE Framework — Direction, Intensity, Vulnerability, Exposure — for assessing specific exposure surfaces
  • The Multiplicative Security Model — the mathematical basis for defense-in-depth, with implications for how security architecture should actually combine

These original frameworks sit within a broader analytical apparatus drawn from criminology (Cohen and Felson’s Routine Activity Theory, Cornish and Clarke’s Twenty-Five Techniques of Situational Crime Prevention), cognitive science (Kahneman and Tversky on judgment under uncertainty), military theory (Sun Tzu, Clausewitz, contemporary unrestricted warfare doctrine), and systems-safety scholarship (James Reason’s Swiss Cheese Model, Charles Perrow’s normal-accident theory).

The book also examines — and critically engages — the victim-blaming reflex that dominates post-incident analysis, drawing on the foundational criminological literature on victim precipitation and contemporary case studies including Equifax, OPM, Target, and Snowflake.

A note on the Latin title

Scientia Securitatis translates as “the science of security,” and the choice was deliberate. The Latin signals that the book engages security as a serious analytical discipline whose intellectual roots long predate the cybersecurity industry’s tendency to treat its problems as historically unprecedented. The phenomena security examines are ancient; the framework for studying them rigorously has been available since at least the mid-20th century. The book argues that practitioners have, with rare exceptions, declined to use it.

Who this book is for

This book is for the practitioner who has noticed that decades of escalating security investment have not produced proportional security gains, and who wants to understand why. It is for the security executive building defensible programs across multiple domains. The policy professional confronting unrestricted warfare doctrine. The risk and compliance leader who suspects that frameworks alone are not stopping sophisticated adversaries. The graduate student approaching security as an analytical discipline rather than a job category.

It is not a tactical handbook. It is not a configuration guide. It is the analytical apparatus that determines whether tactical choices are well-made — the apparatus the field has been operating without.

Where to get it

Scientia Securitatis: The Science of Security is available now on Amazon in eBook, paperback, and hardcover formats:

Scientia Securitatis

If you find the book useful, please consider leaving a review. Self-published analytical nonfiction lives and dies by word-of-mouth among the practitioners it was written for — and a thoughtful Amazon review from a working professional is worth more to other professionals than any amount of marketing.

— Chris Mark

Holiday Shopping Safety! Debit or Credit? PIN or Pen? Check or Cash? November 18, 2020

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
1 comment so far

With the holidays around the corner, it is a hot time for criminals to steal from us all!  CyberCriminals are specifically after your money and cards.  There is ongoing confusion about whether cards are better than checks are better than cash.  While we all have our own opinions, I think the argument is pretty clear that payment cards are the most secure options for consumers.  Read below!

For some background, I am a payment card security professional.  I have worked at both MasterCard and with Visa, as well as the other card brands. I now work at a major telco overseeing the payment security program. 2020 marks the 15th consecutive year someone has stolen my card at least once (17 times in 15 years) BUT…I wasn’t worried…read below to find out why! (more…)

Covid19: “The War God’s Face Has Become Indistinct” – China’s Unlimited Warfare Strategy April 14, 2020

Posted by Chris Mark in cybersecurity, Risk & Risk Management, terrorism.
Tags: , , , , , , , , , ,
add a comment

CT2013UPDATE-  Today (April 15, 2020) Fox News published an article supporting what has been proposed in this post.  Titled“Sources believe coronavirus originated in Wuhan lab as part of China’s efforts to compete with US the article lays out compelling evidence that China was attempting demonstrate that China’s “…efforts to identify and combat viruses are equal too or greater than capabilities of the United States.” The article states that evidence comes from classified, and open source sources and documents.  It further states that:

“…(China) blaming the wet market was an effort by China to deflect blame from the laboratory, along with China’s propaganda efforts targetting the US and Italy.”

For those who have not read Unrestricted Warfare referenced in this post, I would strongly suggest you consider reading.  The Fox News article is directly in line with China’s 1999 strategy of unlimited warfare against the US and European countries.

In 2013, I wrote an article for The Counter Terrorist  Magazine that identified the Chinese strategy of CyberWarfare. You can read the article here.

This followed a seperate article I wrote for the same magazine called “CyberEspionage” that identified China’s efforts to infiltrate the US.  Both identify the Chinese focus on unlimited warfare discussed below.ctmay2012

Today, while reading the news, I came across an article that stated that stated that the US State Department cables (read CIA and Intelligence) has stated that the Covid19 Virus may have originated the Wuhan Viral Lab (WVL) who were testing the Coronavirus in bats.  According to the Washington Post:

“As many have pointed out, there is no evidence that the virus now plaguing the world was engineered; scientists largely agree it came from animals. But that is not the same as saying it didn’t come from the lab, which spent years testing bat coronaviruses in animals, said Xiao Qiang, a research scientist at the School of Information at the University of California at Berkeley.”

No “Evidence” is distinctly different than “They did not do it”.  Keep in mind that in February, 2020, the US Government charged 4 Chinese Military members with the 2017 Equifax breach.

The question should be: “why would the Chinese launch viruses (if they did) and why would they hack US companies?”  The answer is actually pretty straightforward.   If you read the article from 2012, you will get much more information than in this blog post.

In 1990 the US engaged the Iraqi military in the Gulf War.  The Russians (then Soviets) tankmedinaand Chinese watched closely as the US went literally “toe to toe” with the World’s 5th largest standing Army (Iraqi).  96 hours later, the Iraqi Army was soundly defeated.  In particular was the Battle of Medina Ridge (also called the Battle of 73 Easting) fought on Feb 27, 1991. It was an absolute route. This convinced the Chinese that a “linear/kinetic war” with the US was unwinnable.

For this reason they embarked upon a new policy called “Unlimited/Unrestricted warfare”.

This is documented in the book called Unrestricted Warfare.  In first reading the document, I was shocked at what it contained.  In 1999, two Chinese Peoples’ Liberation Army (PLA) Colonels were tasked to write a document titled: Unrestricted Warfare that outlines China’s approach to war with the West.   In short, the document articulates a new definition of warfare that includes using all economic, political, and PR means to fight ‘sub wars’ and ‘pseudo wars’.

While we sit in the US laboring under our definition of warfare, our adversaries are redefining the battlespace.  Here are some quotes from the document:

“If we acknowledge that the new principles of war are no longer “using armed force to compel the enemy to submit to one’s will,” but rather are “using all means including armed force and non-armed force, military and non-military, lethal and non-lethal means to compel the enemy to accept one’s interests.”[i]

“As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.”[i]

In short, the Chinese manipulating currency, or the press or even paying a Harvard Professor to be an agent can arguably be considered a ‘pseudo war’ consistent with their strategy of unlimited warfare.  As more information becomes available, I would not be surprised to see that this is much more than an “accident” in a lab in Wuhan.  Look at the financial toll it has taken on the World and positions the Chinese to be much larger players.

[i] House of Representatives. (Kindle Locations 325-327). Kindle Edition.

 

[i] Wiangsui Qiao Liang and Wang. Unrestricted warfare. Beijing: PLA Literature and Arts Publishing House; 1999.

Dupont’s Titanium Oxide Color Recipe- Stolen for Chinese Advantage July 22, 2015

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Oddly (to me anyhow) this is the 2nd most  popular post on my blog!  It was written over 3 years ago but since it gets so much traffic I thought I should re-post.  Here it is in 2015!

Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft.  In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government.  Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide.  What is TD used in?  Titanium Dioxide is the ingredient in many white products that makes the products white.  Products such as paint, toothpaste, and Oreo cookie filling!  Stealing the ingredients to Oreos shows just how low cyberthieves will go!   According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”

I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest.  Make no mistake.  If your company has a unique process, technology, or product, it IS of interest to many companies.  Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.

photo from: http://www.titaniumexposed.com