“The inability to predict outliers implies the inability to predict the course of history.” ― Nassim Nicholas Taleb, “The Black Swan: The Impact of the Highly Improbable

In modern parlance, the phrase “black swan,” as espoused by the famous intellectual personality Nassim Nicholas Taleb in his famous book “The Black Swan: The Impact of The Highly Improbable,” refers to an event that comes as a surprise, leaves a major impact and, in the absence of cyber situational awareness, can be rationalized only with the help of hindsight.

When it comes to cybersecurity, the black swan theory holds special importance. As cyberspace grows in volume and operation, it becomes more entwined with different aspects of everyday life. Given this increased integration, a black swan event could unleash major consequences through the multiplier effect.

Hindsight Is 20/20

A black swan event is impossible to predict and can be rationalized only through the wisdom of hindsight. Nevertheless, there are certain high-impact, low-probability scenarios that could be simulated or conceptualized to prepare an incident response plan.

The high-profile Yahoo, Target and Sony breaches were not typical black swan events, since they could have been predicted and prepared for. The Target breach of 2013, which exposed 40 million debit and credit card details, occurred due to the poor security practices of a third-party HVAC vendor. Similarly, the Sony breach has been attributed to lax access control policies. Meanwhile, a 2013 attack on a dam in New York happened because an insecure cellular modem allegedly allowed threat actors to take control of critical infrastructure.

These high-impact, low-probability incidents could have been avoided had unconventional security vulnerabilities been taken into account. An effective incident response plan must consider security scenarios that are unlikely but potentially damaging.

A Gloomy Picture

In 2013, the Ponemon Institute published an interesting study titled “Efficacy of Emerging Network Security Technologies.” The report revealed that the majority of security professionals around the world agree that the threat landscape is changing and becoming more complex with each passing day. As a result, most organizations, especially in banking, finance, health care and manufacturing, are deploying the latest security solutions to prevent incidents.

Interestingly, some survey participants who reported positive results from security solutions also said they considered their organizations to be vulnerable to cybercrime. The situation painted a gloomy picture of the security landscape and suggested that many organizations are unprepared to deal with unconventional and unknown threats that could kick-start a black swan cyber event.

Organizations deploy solutions that can effectively detect and contain only known threats. Solutions such as firewalls can only prevent intrusions according to defined access control policies, and intrusion prevention systems (IPS) can only protect against threats that match the database of known threat signatures. In other words, these solutions do not cover the entire ground of the threat landscape because they fail to account for the dynamically emerging threats and provide no defense against the unknown. Until all attack pathways are insulated with security barricades, cybercriminals will continue to penetrate networks and the risk of high-impact scenarios will remain.

Embracing Cyber Situational Awarness

Extraordinary threats require extraordinary solutions. You cannot predict a black swan event, but you can estimate the probability that it will occur and its potential impact by building a security architecture that evolves as the threat landscape shifts. Organizations must look beyond conventional modes of defense to achieve a security posture that is dynamic, not static. This requires cyber situational awareness and information sharing.

As defined by Dr. Mica Endsley, former chief scientist of the U.S. Air Force, situational awareness is the perception of elements in the environment, the comprehension of their meaning and the projection of their status in the near future. The perception, comprehension and projection elements of cyber situational awareness can effectively track, analyze and provide actionable intelligence about emerging threats, threat actors, vulnerabilities and malware. This enables organizations to understand their own security preparedness and proactively take steps to mitigate risks associated with emerging threats.

Securing Human Endpoints

Situational awareness must be imparted at all hierarchical echelons of an organization, including the board members and executives, IT professionals, security analysts, human resources, finance, sales, marketing, and third-party vendors and clients. These are all human endpoints with gaps in awareness that could potentially be exploited by fraudsters.

If these vulnerabilities are plugged in on a real-time basis, cybercriminals will find it tough to improve their scale of sophistication. Like an exponential graph, their innovative techniques would hit a roof and then stagnate, which would provide the requisite time for organizations to normalize their awareness levels. Furthermore, the actionable information generated by situational awareness needs to be shared in real time with industry peers and clients to protect the overall industrial security framework.

Butterflies and Black Swans

It’s also important to understand an organization’s security posture through the prism of the butterfly effect, which states that every minute, localized action can have significant consequences elsewhere in a complex system. Consider the many acts of poor cyber hygiene employees carry out on a daily basis — these missteps can ultimately lead to a massive black swan event.

Since most corporate assets are connected across the organizations to which they belong, a localized action can enable malicious actors to trigger catastrophic events within a network and even throughout cyberspace at large. Therefore, individual cyber hygiene is crucial to prevent black swan events. Just like software, user education needs regular patching, which can only be delivered through cyber situational awareness.

More from Risk Management

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…