Rethinking Risk Black Swans, Tsunamis and Planning for the Unbelievable Bill Sewall, JD & CISSP (510)

Bill Sewall, JD & CISSP Consultant Specialties - Information security, compliance, training and operational risk Experience Teacher Attorney & General Counsel CIO & COO Information Security Officer Operational Risk Officer 25 years with CitiGroup 2

Agenda What is a Black Swan event? How our emotions, instincts and personal experience cloud our perception of risk Golden Boy Syndrome An alternate proposal for looking at risk Black Swans and some suggested ways to approach them 3

4

5

1.It lies outside the realm of regular expectations 2.It carries an extreme impact 3.Human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable. “The Black Swan” by Nassim Nicholas Taleb 6

"There's not a doubt in my mind that you will see a spate of municipal bond defaults," Whitney predicted. Asked how many is a "spate," Whitney said, "You could see 50 sizeable defaults. Fifty to 100 sizeable defaults. More. This will amount to hundreds of billions of dollars' worth of defaults." 7

8

Annual Loss Expectancy = Single Loss Expectancy  Annualized Rate of Occurrence Risk = Impact  Probability Probability = Vulnerability  Threat 9

10

Risk management should be a rational process. Instead, most of our daily risk decisions are based on emotion, our unique personal experiences and instinct. 11

12

What Parents Fear Most* 1.Kidnapping 2.School snipers 3.Terrorists 4.Dangerous strangers 5.Drugs *NPR: 13

What Parents Should Fear 14

15

“Golden Boy Syndrome” We continually seek out leaders and role models. And we are willing to support our heroes, give them our money and let them guide us, even when there is clear evidence that they are dead wrong. 16

“When the music stops, in terms of liquidity, things will be complicated. But as long as the music is playing, you've got to get up and dance. We're still dancing.” 17

18

19

Alan Greenspan is “no longer the Man Who Knows; he’s the man who … refused to do anything about subprime, insisted that derivatives made the financial system more stable, denied not only that there was a national housing bubble but that such a bubble was even possible.” – Paul Krugman, Nobel economist. 20

“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.” Donald Rumsfeld 21

1.People exaggerate spectacular but rare risks and downplay common risks. 2.People have trouble estimating risks for anything not exactly like their normal situation. 3.Personified risks are perceived to be greater than anonymous risks. 4.People underestimate risks they willingly take and overestimate risks in situations they can't control. 5.Last, people overestimate risks that are being talked about and remain an object of public scrutiny. * “Beyond Fear”, Bruce Schneier 22

Most of our risk decisions are based on instinct, emotions and our unique experiences, not on a rational, objective methodology. In information security we are further hampered by the lack of: Consistent historical data that would support an actuarial risk assessment process; and A commonly agreed risk assessment methodology 23

24 You can’t calculate information security risk down to the decimal point.

Risk = Impact  Probability 25

Risk = Impact  (Vulnerability  Threat) 26

27

28

Type, Frequency, Duration & Loss 29

30

31

32

33

34

35

Impact Probability Risk 36

Impact Probability Risk 37

Probability 38

How can we prepare for the unknown? 39

Rule #1. Risk is in the details. Take care of the little things and the big things become far less likely. 40

41

Rule #2. Pay special attention to those Black Swans that you can control. Don’t waste your time on the uncontrollable unknowns. ControllableUncontrollable “Great Recession” Deepwater Horizon 9/11 Meteor Strike Magnitude 10 Earthquake Alien Invasion Japan Tsunami? 42

Rule #3. Pay special attention to those risks that are easily scalable. How much would have to go wrong before a $1,000 event becomes a $1 million event? 43

44

Rule #4. When dealing with Black Swan possibilities, make your assessment of the risk very carefully. Then throw it away and start again, because you likely made the decision based on emotions, gut instinct or personal experience. 45

46

Rule #5. When considering risks related to fraud, think like a criminal The problem is that we invest too much of our experiences and emotions into risk assessment Suggestion – Role play. Remove yourself from the process and think like the criminal. 47

Rule #6. Black Swans are becoming more prevalent. A highly industrialized, technologically advanced and interdependent global economy is more prone to catastrophic disruptions than a world dominated by a handful of independent industrialized countries. 48

49

Rule #7. There are no “Unknown Unknowns.” We know all the risks, it is just that we choose to ignore most Black Swans. They are often just too painful to deal with. Denial 50

“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.” Donald Rumsfeld 51