The world loves a bogeyman. And Kim Jong Un certainly fits the bill. But the fallout from the alleged hacking of Sony by North Korea has revealed much about how governments, corporations and individuals view the subject of risk.
Certainly emails have been swiped, to the intense annoyance or schadenfreude-tinged fascination of participants in, and fans of, the movie industry. After that the story gets more speculative and interesting. Online statements threatening movie-goers by the previously unheard-of Guardians of Peace, suggesting “remember the 11th of September 2001”, “we recommend you to keep yourself distant from the places at that time (sic)”, and “if your house is nearby you’d better leave” suggest the ability to cause mass destruction and terror. But to believe the demonstration of email hacking should unquestionably lead to an acceptance that the subsequent threats are credible suggests that Sony do not understand how to think about risk, threat and probability.
The chance of an event – good or bad – occurring, is a constantly shifting dynamic. A gloomy scenario more readily explains this melting pot. For a bad event to be realised three things need to align: an ability and intent on the part of an adversary to create mischief and an opportunity accorded to that adversary. An understanding of these variables produces the threat. But this is still no guarantor of an event happening; mitigating strategies employed by those at risk must be considered. These vary from simply hoping things won’t go wrong, to making the issue somebody else’s problem (by, say, taking out insurance), through to taking steps to reduce or even eradicate the chances of a bad event occurring. (These four T’s are collectively known in the risk management business as tolerate, transfer, treat and terminate.) Pulling down metal shutters on shop fronts eradicates the possibility of a smashed window, for example. It is, therefore, a strong mitigation measure, terminating the threat from brick-toting thugs. Alternatively, using only the letter ‘z’ as a computer password (as one former editor of an international newspaper did) is a poor mitigation strategy, as it treats to a minimal degree only the issue of computer security.
Taken together, the variables of the adversary’s choosing (capability, intent and opportunity) when undermined by mitigation measures (the ‘four T’s’) enables a security professional to have an idea about the probability of a threat being realised. The individual, corporation or government subject to this probability then has to decide the scale of the impact that would be produced if the probability came to pass. The resultant position on a probability-impact graph (conceived with low-medium-high on each axis) is the true expression of risk. As a mental construct, it is a best guess only. Firm figures are impossible, but it is no less important for that. For example, the chances of a massive earthquake damaging the Royal Navy’s nuclear submarine base in Faslane, Scotland, is extremely remote. But as the impact of a nuclear incident could be catastrophic the base has earthquake protection to a level unseen elsewhere in Britain.
It is this fluid, imprecise and intangible relationship between threat, mitigation, probability and impact that enables risk to seem confusing and unfathomable. Is medium probability, high impact worse than high probability, low impact? How much will it cost to reduce the probability? If the impact is felt beyond the corporate balance sheet and in the political arena, who should pay to prepare society? Managing risk is not easy.
Is Sony vulnerable to the threat from hacking? Of course. Did they put in place a strong mitigating strategy after their PlayStation network was hacked in 2011? Who knows? But either they did and this current adversary has much more capability than Sony has defences, or they did not, in which case heads should roll. Sony’s current adversary took advantage of an opportunity to demonstrate the ability and intent to hack emails. But by so swiftly leaping to a belief that movie theatres and the public are now at too high a threat of actual violence in the real world indicates either Sony do not understand risk, or there is more to this than the public are being told. President Obama’s criticism of Sony suggests the former.