Threats + Capabilities + Motivation + Time --> Risks

 

Our friend Barry Conchie sent us a LinkedIn post by Jeremy Levin regarding threats and risk. In grossly oversimplified terms, threat is a function of capability and intent, while risk is a function of the possible consequences of the threat. 

Commentors on the original post noted that these are not static values. Threats change over time because capabilities change -- sometimes in your favor, sometimes not (think: AI scraping your system via its API). The recent power outages at Heathrow Airport (blown transformer) and in Spain (mysterious blackout) frame this idea of threat for us relative to what happens when we do a quote cost-benefit analysis unquote: usually, if it's costly to anticipate something, it's probably a bigger threat than you think. Intent may also change -- maybe now that your company has grown, there's more to steal or disruptions are a bigger problem. 

Risk is a time-based forecast. The risk of a flood is higher in summer months, for example, than in winter months.

Putting it together, changing capabilities lead to changing threats, and changing threats relate to changing risks.

What about motivation?

Motivation is the behavioral part of cybersecurity. We at Pythia focus on behavioral cybersecurity because your behavior reflects your motivations and your personality across multiple opportunities. If you as a leader do not take the time to get smarter about cybersecurity, it shows you don't value it. Time investment as a leader reflects your values: if you as a leader don't value cybersecurity, then you will get less (or worse) cybersecurity. That's a threat you are creating which in turn increases your risks. And, if you as a leader over-invest in cybersecurity, then you may under-invest in growth. 

Economists say there is no free lunch. Threats, capabilities, motivation, and time all vary the risk matrix. You need to find the right balance so that your cybersecurity risk mitigation investments reflect your values, not your fears.

Ask us how Pythia Cyber can work with your company to define your threats, examine your capabilities, and create an aligned course of action to mitigate risks.