Yarrrr, me hearties! Deploy the ransomware, and prepare to board. Yarrrr!

So to recap where we’re at in this long deep dive into the stupid badness of cyber risk quantification: The level of rigor required to call risk measurement quantified is the level of rigor of actuarial science required to run a profitable insurance business.

If you have enough data—say, on weather phenomenon in South Florida—you can consistently make a profit as an insurance company insuring houses against hurricane damage.

Now that is what I call risk quantification.

But even if we hypothetically had enough data to quantify cyber risk—which we don’t, and we likely never will—we still wouldn’t be able rely exclusively on quantitative measurements.

So now let’s talk about piracy. Unlike accidental negative financial impact caused by natural phenomena like weather or earthquakes, cybersecurity risk involves human adversaries.

Now to be clear, you can insure against human adversaries. Take crime. Jewel heist. Bank robbery. Arson. Petty crime. Vandalism. Car theft. Organized crime and sophisticated criminals, even. This is not a controversial statement.

Piracy is useful and interesting to talk about because it marks the frontier between the insurable and the un-insurable.

That means it’s time to invoke everyone’s favorite legal clause, the dreaded war exclusion.

No insurance policy on earth will insure you against war. Not even Lloyd’s of London. Look at any insurance policy and it will always have a so-called “war exclusion.”

Is piracy an act of war? We have only the well-established precedents of sea-faring pirates, but there are a good many useful parallels between sea power and cyber power (looking at you A.T. Mahan), so this is a useful metaphor to think about, as long as (like with all metaphors) we don’t take the comparison too literally.

You can insure against piracy. In fact, during the days of sail, Lloyd’s of London was concerned about their growing losses due to insurance payouts for losses incurred at the hands (or hooks) of the pirates of the Caribbean.

So what did they do? They went looking for retired pirates and paid them to go to London and teach them how piracy worked, so they could better understand and manage the risks piracy poses to shipping.

They had to understand the system in order to insure (read: secure) the system.

Now am I here to tell you that seventeenth-century pirate insurance was based on risk quantified actuarial science? Obviously not. I am sure that insurance companies charged sky-high premiums to account for their KNOWN UNKNOWN and UNKNOWN UNKNOWN risks.

Cybersecurity insurance today is not even as mature as handwavy piracy insurance four hundred years ago. Think about that for a moment. Our profession is less quantified than insurers in London or Amsterdam betting whether or not a wooden boat powered by wind would survive a three-year return journey to India or not.

Now let’s talk about war.

Piracy marks the frontier between the insurable and the un-insurable. War is never insurable. For two reasons.

First, war involves systemic, catastrophic risk. If a foreign army conquers your country, pillaging and destroying everything along the way, that is a game over scenario. Actuarial science is based on the fundamental assumption that loss is not systemic in nature.

Second, war involves active, creative adversaries who mean you harm. Criminals also, but the combination of active creative adversaries and systemic risk is what makes war un-insurable.

Have you heard about that famous book by the ancient Chinese sage, the Science of War?

Oh, wait. I mean the Art of War.

War was an art 2500 years ago in China, and it remains an art to this day. While war tactics may be somewhat scientifically measurable—how many shells, how many tanks, how many soldiers, etc—war strategy is not a science, but rather the struggle for mastery between two opposing sides.

Now, there is a good argument that ransomware—genuine ransomware by true private-sector organized criminals—is a modern version of piracy, and thus insurable, and at least partially quantitifiable. (I say genuine ransomware because nation-state militaries and spies often pursue their offensive aims using ransomware TTPs, or even fake ransomware like NotPetya designed to commit sabotage.)

But today everyone in the world lives next door to every criminal, spy, gangster, and military in the world. Borders are obsolete. The Treaty of Westphalia is irrelevant on the fifth domain. Anyone can attack anyone at any time, and beyond collateral damage, we face systemic catastrophic risks—bad things that haven’t happened yet but could easily happen at the drop of a hat—and by aggressive, creative, active adversaries with armies at their disposal.

Consider a concrete example. Today the military of the sovereign nation-state of North Korea wages de facto, undeclared war against cryptocurrency companies. According to Chainalysis, the DPRK has stolen billions of dollars of crypto per year every year for the last five years.

What do they spend the money on? Their nuclear weapons program. In 2023, the country launched their first tactical nuclear attack submarine—paid for with cryptocurrency.

When a foreign nation-state uses force against a private-sector corporation overseas, and does so in order to advance its geopolitical aims, then the only common English word for that is “war”.

So where does this leave us?

Cyber risk quantification can only work in a world with sufficient data to engage in meaningful actuarial science at scale, and cyber risk quantification can only work in a world without KNOWN UNKNOWN and UNKNOWN UNKNOWN risks, and cyber risk quantification can only work in a world without—wait for it—war.

But it gets worse. Dogmatic devotion to cyber risk quantification can lead you to make very bad decisions as a CISO.

So let’s talk about Cyber Anxiety.

Read Part 3