How Things Gain from Disorder: Nassim Taleb - Applicable to Infosec?

The series of lectures by Entrepreneurial Thought Leaders by the Stanford University's Entrepreneurship Corner is always a must-visit place for those 'eternal learners' who follow these posts or these tweets.

In this occasion I highlight some thoughts extracted from a lecture that Nassim Taleb gave (@nntaleb at @edcorner) on part of the content from his book Antifragile: Things that gain from disorder. Are those thoughts applicable to our Information Security world? Let's see.

As always, a modest disclaimer: These lines by no means replace the reading of this interesting book (or, at least, the watching of the lecture at Stanford).

- The aim will be to look in our activities for a convex function of luck (and not for a concave one). This way, by producing small changes in our activities, we could be aiming at getting greater results. In other words, look for something in which if you lose, you lose small but, if you earn, you win a lot. Look for anti-fragility.

I would consider a proactive defence approach in IT Security an anti-fragile field. A series of small information security preventive and detective improvement measures can bring superior benefits. However, the endless possibilities to undergo an attack by any of the current threat actors is probably a fragile environment. A small mistake in defending against threats could lead to big losses.

- There are certain fields in our lives in which forecasts cannot be made on statistical probability (e.g. he mentions the financial world).

This statement hints an alternative view to the book I wrote titled "Secure IT Up! Cyber Insurance Due Diligence" with regards to cyber security. It cannot be completely managed based only on statistical calculations (a long collection of statistically rare cyber incidents can be a reality).

And now some adjacent wisdom pills also from the talk:

- The sponsor of an option should also have disincentives together with incentives so that, if the adventure fails, they also undergo a kind of failure.

- Be aware of those sponsors trying to hide (but not mitigate) risks from you.

This piece of advice on avoiding hiding risks is also applicable to Information Security.

- Respect and even promote the culture of subtracting (in opposition to the culture of adding): e.g. Mankind will be better off if some toxic elements are taken away (e.g. those who damage public health).

Avoiding complexity facilitates the work of the Information Security practitioner.

- Contrary to common academic views, hands-on practice leads to technology. Technology leads to science (and not vice versa i.e. science leads to technology and technology leads to practice).

This last thought deserves some reflection wearing our Infosec hat. Would we improve Infosec at a faster pace if we allocate funds initially thought for governance to secure DevOpS?

 Happy anti-fragility!

Build your anti-fragile option