Oftentimes, stories are widely circulated in organizations and serve as a source of truth. For instance, it could be an enterprise’s belief that an organizational apocalypse will occur if the website goes down. Versions of these stories abound, ranging from claiming losses of millions of dollars an hour to mass customer desertion. These stories exist for other parts of the confidentiality, integrity and availability (CIA) triad as well, for example, “If we suffer a data breach, our customers will never trust us again.” Sometimes, these stories may even be more nuanced and complex. Perhaps the organization’s story prophesizes how regulator action would mean the end of the enterprise or how the loss of a key customer would set off a chain reaction of customer loss in the same region or industry.
There is no limit to the human mind’s ability to think negatively. (It is why there are no books in the library about how to think negatively.) Paradoxically, there is much social science research about how we very often overestimate our ability to succeed. It is in this space that there are certain risk management obligations that must be undertaken. First among them is that enterprises cannot rely on organizational storytelling to define risk management programs.
I recently had the opportunity to speak to some risk management professionals at a large retailer. At a certain point during the conversation, one person recounted an organizational story that was widely regarded as true but had dubious authenticity. This person had investigated the details of the story (a version of the website-outage story outlined previously) and gathered hard data to support the assertion that it was not true. Apocryphal stories like this can negatively impact an organization’s ability to manage risk effectively. Indeed, it contributes to one of the worst results of poor risk management: misallocation of resources. Instead of placing money, time and people on problems that can truly cause damage to the organization, relying on these stories for prioritization results in enterprises chasing ghosts.
This means cyberrisk management professionals have an ethical obligation to tell the truth. I contend that this is more than a simple charge to not misrepresent facts. Voltaire, French Enlightenment writer, historian and philosopher, is credited with saying that “It is dangerous to be right in matters on which the established authorities are wrong.” How true that still is today. Power often defines truth. In the context of testing and challenging apocryphal organizational risk stories, this requires a 3-pronged approach on the part of the cyberrisk professional. Blending the 3 modes of persuasion—ethos, logos and pathos—is necessary for success.
The ethos, or speaker credibility, is where the root of the apocryphal stories lies. Indeed, it is often people with organizational rank or decades of experience from whence these stories originate or are propagated. As a result, it is important not to ignore one’s own ethos in this endeavor. In these situations, it is best to be aligned with people in the organization who can help provide air cover (sponsorship) if things go wrong. Timing is also important. Newcomers to an organization sometimes can challenge the status quo, but this soon passes, and the desire to assimilate quickly follows. Many organizations find that hiring outside consultants to tell this story absolves them of having to deliver difficult messages to those with significantly more ethos than them.
The logos, or logic and reasoning part of the argument, can best be enhanced by using a cyberrisk quantification (CRQ) methodology, such as Factor Analysis of Information Risk (FAIR). It provides the framework and language to prepare quantitative arguments that help to outline the metrics that trigger a risk event and what the fallout will be. In the example related previously, the risk professional gathered online sales numbers to bolster his assertion about the impact rating. These metrics showed that the opposite of the apocryphal story was true: Certain doom was not inevitable. It was not a complete refutation of the story, but it certainly went a long way in downplaying the story in favor of other more perilous events.
Pathos represents the listener’s emotions in this situation, and that is where a tactful recitation of the facts presented in logos arguments is most valuable. Emotional intelligence is an often-underrated skill in risk management. Society prefers the cold hard facts of the logos argument. But that alone will not be enough to successfully challenge a spurious organizational story. Indeed, it is important to practice the presentation of the facts in various ways to appeal to different audiences. Apocryphal stories such as “We do not know where our data are” when the facts show that the IT asset inventory is quite accurate can be adapted to say, “We need to better understand where data duplication exists so that we can have a single record of truth.” Digging deeper into the audience’s understanding of the problem and then extending their belief beyond its barriers to where the logos argument indicates the real problem lies is necessary.
Blending elements of each of these 3 modes of persuasion is important to successfully test and challenge apocryphal risk management in an organization. I told the aforementioned risk professional at the large retailer that what he did was brave. Indeed, it is often dangerous to be right when the established authorities are wrong. However, the risk profession requires communicating the truth to those in power. Successful risk management can happen only when decision-making is completed through analyzing facts, not relying on questionable storytelling.
Jack Freund, Ph.D., CISA, CRISC, CISM, is director of risk science for RiskLens, a member of the Certified in Risk and Information Systems Control™ (CRISC™) Certification Working Group, coauthor of Measuring and Managing Information Risk, a 2016 inductee into the Cybersecurity Canon, an IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.