What do philosophers pontificating about swans have to do with risk management? Sometimes everything.

Peter Lindstrom asks if Freak Accidents are Black Swans? Good thought provoking question!

Let’s consider what a "Black Swan" is…

“No amount of observations of white swans can allow the inference that all swans are white, but the observation of a single black swan is sufficient to refute that conclusion.” (John Stuart Mill rephrasing David Hume)

That comes to us from Nassim Nicholas Taleb’s wonderful book, "Fooled by Randomness." To Taleb, a Black Swan is a large-impact hard-to-predict rare event beyond the realm of normal expectations.

Some time after Mill (and Hume) wrote about white swans and black swans - the Cygnus Atratus (pictured above), an Australian swan, was discovered. Bravo for life’s little ironies!

Back to Lindstrom, a those freak accidents - the category, are not "Black Swans". In other words, we have a population distribution of 300 million in the U.S. of A, six billion in the world, and accidents such as these are "bound" to happen. In addition, from the examples that come back from Peter’s Google search, I would have a tough time describing a plane crash, death by animals protecting themselves, and as unfortunate as it is - a toddler dying from an accident - as "Black Swans". These are all things that we know are within the realm of probability.

Black Swans and Zero Day

As Mike Rothman points out - the definition of Zero Day is becoming a hot topic. Alan Shimel’s (rightly) suggested refinement of nomenclature concerning Zero Day. He adds the category "Less than Zero Day".

Whether you agree or disagree with Alan’s definitions and approach - he, like all of us, are really trying to account (somehow) for "Black Swans" - weaknesses and exploits that exist but are not common public knowledge. If there’s a weakness and we (the "white hats") know about it - even if there’s no patch available it is not beyond the realm of imaginable probability that it can be used against us. Thus, those are not "Black Swans".

Nitpicky Note: Alan’s use of "Risk" in his graph. Nobody knows true impact of a "Black Swan" or Zero-Day for a particular exploit on a particular set of systems yet - so it’s difficult to judge "Risk to the Organization". One might run FAIR models using Force Majeure and/or Technical Expert Threat Communities, an LEF of "1" and assume worst case losses if you wanted to model potential impact (you could even do what my friend Clarke Cummings suggests and apply Monte Carlo methods to ranges of losses). But we simply can’t assume that all black swans will result in worst case.

Posted on October 25