Flight of the Black Swan

The term “black swan event” was introduced by Nassim Nicholas Taleb in the book Fooled By Randomness. Black swan events have three major characteristics: they are rare, they cause a significant or extreme impact, and upon retrospection, they are actually predictable.
 
As described very well in this Wired article, “getting hacked” is a black swan event. While “getting hacked” can mean many different things, let’s take the example as used in the Wired article of having your identity stolen by hackers.

• It is rare enough that many of us will probably never experience it.
• Some cases have an extreme impact such as having your identity stolen, losing funds from your bank account, or having your computer or mobile devices wiped.
• And as this blog and any number of other websites, news outlets, and information security professionals will tell you, hacking is a predictable event – it is not a question of if, but when you will be hacked.

The Wired article points out an interesting point regarding behavioral economics when it comes to situations such as this:

we already know how we should protect ourselves online, we just choose not to do so. Hardening your internet identity, whether through new passwords, a backup regimen, or other means, costs time and energy in the present, and pays dividends only in some far-off hypothetical future.

There are numerous examples of these “black swan” events all around; passwords are being stolen from websites at an alarming rate. The latest Identity Theft Resource Center breach statistics report (pdf) reveals that there were 399 breaches in the first 11 months of 2012, compromising over 15 million records. Most people have heard stories like what happened to Mat Honan, or even what happened to me.

This particular black swan is in flight. There will be a hack that will affect you. While it is rare, it will have a significant impact and is completely predictable. The question now is, what are you doing about it?

Our recommendation is that you take a hard look and assess how prepared you are for certain kinds of attacks, such as a breached password, an unlocked file cabinet, or an unpatched operating system. Understanding what might happen if things go bad will help you understand where you need to get better. Our Information Protection Assessment (IPA) solution provides this capability for organizations. We conduct guided conversations with the knowledgeable individuals about all the different areas where information must be protected.

By knowing what information needs to be protected, what protections you do (or don’t) have in place, and what risks you’re willing to take even in the face of this knowledge, you can be better prepared for the eventuality of this black swan visiting you.