Hurricanes & Earthquakes: Prediction vs. Forecasting In Information Security
Prediction and forecasting may seem like they are the same thing, but they’re not. When it comes to natural disasters, a prediction specifies the time, location and strength of an event. Forecasting on the other hand is defined as a probabilistic determination of an event based on variables such as frequency, magnitude/strength of past events in an area over a period of time…also referred to as SWAG ( Scientific Wild Ass Guess ).
Hurricanes – Predicting
This week we watched as Hurricane Sandy ripped through the Caribbean and up through NE United States leaving a path of destruction in its wake. The damage to infrastructure, homes and loss of lives has been devastating, but it could have been a lot worse. It is fascinating that in our day and age we have the technology to predict a storm’s path. We have the ability to prepare for the worst and in the process save lives and reduce damage. During the hurricane we had computer models and satellite imagery showing where the storm was, its predicted path and strength, providing enough warning to evacuate low lying areas, board up windows, buy supplies and head to shelter.
Before our ability to track hurricanes they were even more lethal and destructive, as they hit with little or no warning. In 1900, the Galveston Texas Hurricane had a death toll of more than 12,000 people. In 1938 a hurricane struck the NE United States hitting Long Island, New York and New England with only 4 hours warning leaving 800 people dead. Compared this to Hurricane Sandy, where people had several days to prepare, with death toll although still tragic only in the high 80’s even with a higher concentrated population.
The meteorologists at NOAA are heroes in this story. Their ability to utilize technology to monitor and detect changes in the storm in real-time and modify models and variables into actionable information that can be used to save lives and property is unprecedented.
Earthquakes – Forecasting
Earthquakes on the other hand strike with little warning. Seismologists are not as lucky as their meteorologist counterparts, as they have less visibility and data to base their estimates. They can forecast based on high risk areas, but earthquakes are unpredictable, at least with current technology. When an earthquake strikes there are earthquake warning systems, but they only provide outlying areas with seconds of warning, not enough time to save lives. Based on forecasting however we can reduce risk with stronger building codes, emergency preparedness and education.
This past week seismologists in Italy were charged with manslaughter based on their forecasts stating the risk of a major earthquake in L’Aquila after several tremors was minimal. In this particular case the odds were not in their favor and a larger earthquake struck killing more than 300 people. In the trial family members of those who lost their lives stated that their family members stayed home based on the scientists forecasts. The court’s verdict found six scientists guilty of manslaughter for failing to properly warn residents, stating they had misrepresented the risk. Luckily the charges were later dismissed, but in many ways it was the very science of earthquake forecasting on trial and you can bet that in the future scientists will be very cautious in the language they use, if they are brave enough to speak up at all.
Risk-Based Security: Are we predicting or forecasting?
These two natural disasters made me think about the nature of risk based security, to what degree are we making predictions and at what point are we forecasting? Our technology can gather large amounts of data across our infrastructure, modify changes and drift, but we can’t really make accurate and trust worthy predictions until this data is aggregated into information that can be understood and acted upon. The CISO is your organization’s meteorologist. Like a hurricane IT infrastructure changes quickly with a lot of variables in motion, yesterday’s reports are no longer valuable when the storm changes course.
Even though when we have visibility into our infrastructure, there will always be unknowns and elements that are unpredictable, that is why in information security we don’t speak in absolutes and there will always be a degree of forecasting. Everything is relative, we can assess and monitor security risk, but we cannot guarantee there will be no events. However we can build our systems so they are more resilient, ensure that our emergency responders are ready when there is an incident and that our staff are educated and aware.