Are You A Cyber Security Gambler?
How you answer this question is at the heart of your IACS cyber security strategy, but first, let's analyze the question.
What is a gambler? Well, the Oxford English dictionary defines "gamble” as “taking a risky action in the hope of a desired result” or alternatively, “a risky action undertaken in the hope of success.” So, with this definition there are two key themes:
(1) The uncertainty of the outcome; (i.e., “risky action”) and
(2) The outcome being beyond the action taker’s control or influence (i.e., “hope” of a positive outcome).
Therefore, a gambler can be viewed as someone who makes a “risk-reward” decision; with the reward being the “desired result” or “success” and the risk being the amount (or lack) of control or influence the gambler's actions have on achieving the reward. There is a lack of control that one who is a gambler would have over the outcome.
The risk is determined by the specific actions undertaken to achieve the reward; with potential actions ranging from inaction (after all no decision is a decision) to “spare no expense". If you gamble with your IACS cyber security strategy by not taking control to assure a positive outcome, then there is the increased risk of an IACS cyber security incident (i.e., "risky actions"). .And you are essentially being a cyber security gambler.
There is no one size fits all risk-reward definition so answering the gambler question requires a very clear understanding of what reward(s) you seek and what action(s) you’re willing to undertake to achieve the reward(s). Beware; these seemingly simple considerations may not be as easy as they sound so in the future we’ll explore some common pitfalls.
In the meantime, what do you think? Are you a cyber security gambler?
By Greg Hudson, PE
By Greg Hudson, PE