A Case Study in Poor Risk Assessment
Assessing Coronavirus risk is an interesting case study in how humans broadly assess risk and do so very poorly. Everyone on the planet has been doing a risk assessment, so it makes a good analogy that will have a great deal of relevance across the risk industry.
Most often, it seems to me, not being a scholar on the subject, we assess risk based on “Well nothing came of SARS, so nothing will come of this,” or something similar. In general we use experience to assess risk, and that supports a reasonable approach when a lot of solid information is not known. “The last person to go into that cave did not come out.” Experientially that means, maybe not going into that cave is a good plan.
If we have information though that says “the cave is about to collapse” our tendency is to say “but I have been going into the cave for 5 years and nothing has ever happened! Worry wart.” We are really bad at assessing risk of something that has not happened in our experience.
So with Coronavirus in general most people assess the risk of wide spread impact as very very low or nonexistent, because that sort of thing has never happened (or at least not since 1918). Even though the data, it is out there, it is relatively contagious, you can be infectious without having symptoms, it has a very long incubation period, and its death rate is 2-4%, etc supports the probability of a global pandemic (which we now have). The data was out there to support the current, and growing global impacts, but we have been extremely conflicted on what actions and preparations are needed for the black swan event. Just last week I heard, “This is stupid. The Flu has killed more people.” True but all the data now points to Coronavirus having a much much larger global death toll, broad economic impacts etc., but of course that has never happened before.
Drawing the parallel into my own area of endeavor the same thing occurs when assessing the Cyber Risk of something that has not happened in a company’s experience. You can even draw a parallel on the lack of testing kits being similar to companies not knowing when they are infected. I cannot count the number of times when I have heard something similar to “Name one time we have been hacked?” In fact in one global F100 company, hearing that I spent just one Friday afternoon demonstrating, “Well how about these dozen or so instances right now?” I was counseled that I was causing undue concern, and the companies very very limited detection and response organization returned to doing their very best impression of hear no evil, see no evil, speak no evil.
As we work on building Risk Assessment capabilities and really building risk based approaches into all aspects of business activity we need to take into account this paradox of how people look for and assess the risk that “has never happened.”