13death

So there are a lot of ways to die. Like a lot. We worry about obscure ways to die. Its gruesome really, to die via an asteroid or “space junk” strike (so much so that we make TV shows about it), hockey puck death, or obscure elevator amputations.

…sort of like the various ways that IT security failures can cause security incidents. Now I’ve argued in the past that not all failure is bad, but in this post I want to talk about an important distinction that is often missed in risk assessments and that’s a focus on temporal factors. Put plainly, time matters.

This article and accompanying graph are a great way to organize some common ways to die (if you are looking for something to do on a Friday night). But it includes something that is missing from a lot of IT risk assessments: time.

Many assessment methods will tell you to assess “likelihood” such that you end up with some values like 80% or “Medium” etc. Now if you’ve been around me for any length of time, you will know that I quote “Fight Club” prodigiously to explain the problem with these values: “On a long enough timeline, the survival rate for everyone drops to zero.” And that’s why frequency matters. 80% what, tomorrow? In the next week? Year? Ever? Imagine if weather forecasts went the same way: just a picture of a rain cloud, no date, no day of the week, just a number that says 80% chance of rain. Should you bring an umbrella tomorrow? Next week? When?

So this is why I let my kid hold a baby alligator. Because, honestly, the odds of death by baby alligator are like, really really rare. Like 1/50 years or more (I dunno, I’m not an alligator expert). Plus, its mouth was taped up so yeah. Controls and such. And now she has a cool life experience and picture she can cherish :-)

So the next time you see likelihood without any reference to time period, call Shenanigans. Its bogus science and you don’t have to tolerate it.