In order to address risk proactively, you have to see through the noise of all of the information you are being presented with. The goal is to find the right stuff to pay attention to and not be distracted by the rest. It is a challenging task, indeed.
“In an information-rich world, the wealth of information means a dearth of something else: a scarcity of whatever it is that information consumes. What information consumes is rather obvious: it consumes the attention of its recipients. Hence a wealth of information creates a poverty of attention and a need to allocate that attention efficiently among the overabundance of information sources that might consume it.”
Herbert A Simon wrote this quote in his book, Designing Organizations for an Information-rich World, in 1971, long before the Internet had reached its modern form, when that “information-rich world” involved the spread of information through books, newspapers, and the burgeoning television industry. It was hard to conceive of the level of pervasiveness the Internet would eventually take at a time when computers were still the size of an entire room. It wasn’t until the 80s, with Michael Goldhaber (the topic of Charlie Wesker’s excellent New York Times article last week), that the Internet was considered as a source of overabundant information.
This “attention economy,” as Simon and Goldhaber call it, is predicated on the idea that our attention is finite, and that every action we perform or information we take in uses part of that daily allotment of attention. This is especially true in the field of risk management.
The information regarding financial, technological, and physical risks continues to outpace our ability to process it. With this growth naturally comes the desire to fully understand and plan for each and every one of these risks. It is the hard truth that not all of these risks pose an equal threat to you or your institution, and you run out of the finite attention and time before you can aptly focus on the most important ones.
Attention and Noise
Time for a statistic: in 2020, 80% of surveyed financial institutions reported an increase in cyberattacks (13% higher than 2019) and 64% reported increased attempts of wire fraud transfers (17% higher than 2019). Cybersecurity risks are interesting because the sheer volume of them mask the ones that are more sophisticated and prevalent and our urge to track, analyze, and respond to every single one becomes stronger. Attempting to perform an investigation on all penetration attempts, however, would require not just a significant time commitment, but also a non-negligible amount of the overall risk attention of your institution. An exhaustive analysis of these attempts, then, would be an unfortunate waste of this limited attention resource.
An overabundance of penetration attempt analysis is by no means the only attention getter for risk, but it is a common one. The combination of these “attention-sink” factors form noise, a statistical distraction from the sources of risk that provide the most pressing financial threat to your organization. But what’s the method to avoid such an attention loss? Well, like the answer (like it is to many things in life) is “it depends.” As an example, performing comprehensive pentesting, the more proactive approach than the reactive method of examining penetration attempts after they’ve occurred, can somewhat address that particular source of noise. A more effective way of focusing our attention on the “right” things is the use of scenario analysis, more commonly known as creating a story.
Mitigating the Risk of Finite Attention
It may seem like scenario analysis would be slower and less effective than gathering and analyzing all the data. The important part about scenario analysis is it points you towards the data that is most relevant. Looking back in time, when cyber risk first became noticed (well after it had already started) we paid attention to every single penetration attempt and when the volume went up, we thought we were more at risk. As we moved to pentesting, we began to focus on the weaknesses in our technology solutions. This evolution moved us from the noise aspect to the important stuff aspect, saving us time and attention. Any time saved in one area of attention means more remaining attention for other key risks.
Determining which risks require the most attention is its own process in itself. Modeling to compare the severity of different sources of potential risk is a natural first step but deciding which ones should have more attention dedicated to them (likely in the form of analysis and mitigation strategies) will vary based on your particular situation.
On top of that, with the realities of living in the modern world, it’s fair to assume at least some risk will form in areas that might take some time to mature. Take, for example, the increasing risk due to climate change. It’s unlikely that any risk associated with climate change will be a major issue day-over-day. That being said, a good scenario-based discussion will begin to point out what is important to pay attention to and if you have enough room in your finite attention allotment to be prepared. The less attention you focus on establishing financial expectations and complications before an issue like climate change becomes an active crisis, the more attention you will need to perform post-mortem assessments of the potential financial disaster. The amount of attention required is unknown at this point, but it does require some allotment. As the ever-quotable Ben Franklin once pointed out, “By failing to prepare, you are preparing to fail.”
Much like the distance in time resulting in the gap between Simon and Goldhaber’s interpretation of the source of overabundant information, there’s a strong chance we haven’t considered at least some of the next big sources of risk. It only takes looking back a year and a half to the pre-pandemic world, where understanding the impact of a shutdown on last year’s scale wasn’t a thought or consideration on anyone’s mind. But for the situations that are either foreseeable (if only there were more of those!) or have at least some level of precedent, it’s worth establishing a baseline of attention you’re willing to dedicate to that risk.
How can we provide enough attention to the many risks we face? Well, that’s a real billion-dollar question. Starting with a formal scenario discussion structure is an important step. This assures that some of the risk attention goes to planning, analyzing, assessing, and modeling not just active key and material risks, but also potential key and material risks, is a good way to start. And thinking about attention as a finite resource enables you to begin the journey towards identifying what is important and impactful to your organization.