If we consider how risk events unfold in reality, they usually occur through a sequence of interacting factors (see Figure 1). For example: A control does not quite work as intended because the usual supervisor is not available, and coincidentally a staff member has unintended access to a system from which they are able to extract personal information. On any other day, those conditions might have been different and resulted in another outcome. The reality, therefore, is that risks emerge as a result of a complex series of interactions among a large number of factors, and small changes in conditions can lead to significantly different risk outcomes.
Risk events also often involve active participants who learn and adapt their behaviors accordingly. Cyber is a good example—the attacker generally is trying to outthink their adversary and stay one step ahead. All of this means that past performance is not necessarily a reliable predictor of the future. There are too many things that can be subtly different, leading to hugely different outcomes.
Author(s): Neil Cantle
Publication Date: May 2022
Publication Site: SOA