Are the consequences a little different now, of a car crash?
You bet they are, right?
[LAUGH] Now it's not just you, but you're bringing a little baby along.
And if you get in an accident,
then the first question anybody's going to ask is, is the baby okay?
[LAUGH] They don't ask about you.
It's because the consequences increased, do you follow?
So there's really two ways that risk can be affected by some change in a system.
Risk is inherently something that's measured based on change,
and we'll get to that in a minute.
But let's think about this.
The first thing is the Probability of an Attack, in terms of cybersecurity,
can increase or the Consequence of the Attack can increase.
So for example, a system that's put in place that has customer records on it.
Let's say it's 1,000 customer records.
And I put it in a system and
it sits behind a gateway that's not connected to the Internet.
And it's just private and is x amount of risk.
I don't want my customer records exposed, but it's on a network that's private.
I think we're good.
You'd measure that risk as some number.
Now it's tricky because you'd say, what number?
Like is there some universal scale that we all use, and we have unity risk at zero?
It's not like that.
What happens instead is that you pick some numeric scale.
Sort of like the stock market, where there's a number.
You buy a stock at a number.
Does it matter how much that stock costs when you buy it?
No, but it matters whether it goes up or down, and risk is like that as well.
So what we would do is something called baselining.
Do that a lot in system security engineering where you baseline a number.
And you come up with some reasonable sensitivity in terms of probability and
consequence.
And you just say, this is my baseline unit risk at some of point in time.
So does that make sense?
So you baseline something.
Now, let say you decide in this little local area network with 1,000 customer
records on a server that you're going to connect to the Internet.
You get your first Internet connection.
And now people from the Internet can come in and do maintenance on your server or
whatever reason you would be connecting.
Well, guess what?
The probability of attack has now gone way up.
Have the consequence changed?
No, [LAUGH] it's the same stuff.
Your customers would be just as angry if you lost the data.
That hasn't changed.
But the probability that something could happen has gone way up
because you connected to the Internet.
Now let's unravel.
Let's go back to the case where it's still private network
with no Internet connection.
I've got 1,000 customer records.
And you suddenly realize, well, 1,000's just a small percentage of our customers,
let's put all of them on.
Let's put a million customers records on that server.
How you feeling about risk now?
It's gone way up because you have more consequential assets on its server.
So there's these two ways that risk can be affected.
Now, every one of you right now are thinking the correct question and
that's, well, what if one goes up and one goes down, right?
What if I went from 100 customer records to 10 at the same time that I connected
to the Internet?
Welcome to Security Risk Management.
And you can see how that's a very subjective judgement
that you have to make.
That the discomfort that anybody doing cybersecurity has,
particularly in a practical setting, is how informal a lot of this is.
As an academic, particularly somebody who's always giving exams and
helping students work out answers to questions and to problem,
you always look for things that are quantitative.
Where there's a number and they can't really argue with you one way or another.
But cybersecurity doesn't work like that in practice.
I wish it did, but it just doesn't.
In practice, Judgment, Qualitative vs Quantitative judgement, and
a question of, well, this one went down, a consequent went down.
The probability went up, do they balance?
Has the risk stayed the same?
Did this drop more than this increased?
Do you follow?
It's very difficult to kind of go through that.
And that's where experience and
just having the willingness to try to make good decisions, good management decisions,
about cybersecurity may be the most important factor here.
So just some terms of sort of your additional learning here.