Security Check by Nate Shames Nov 9, 2017 Fat Tails and Cybersecurity The Great Moderation On February 20, 2004, Ben Bernanke, noted economist and member of the Board of Governors of the Federal Reserve System, delivered a lecture to the Eastern Economic Association in Washington D.C., the subject of which was “The Great Moderation”. Bernanke was defending the idea, put forth by himself and others over the preceding decade, that business cycle volatility had declined since the early 1980s as a result of structural, and therefore long-lasting, changes in advanced economies. Central bank independence, in particular, was highlighted as the force behind this moderation. The highly educated and competent economists at central banks, equipped with advanced mathematical models and free from the nefarious influence of short-term obsessed politicians, were capable of predicting and responding to macroeconomic developments with greater precision and clarity resulting in a secular change in business cycle volatility. We had entered the Promised Land, a place free of economic turmoil. Almost three years later to the day of this speech, Bear Stearns was acquired by JPMorgan Chase in a fire sale after two of its hedge funds failed and nearly brought down the entire firm, and six months after that, Lehman Brothers went bankrupt ushering the largest financial crisis since the Great Depression, which plunged the world and the business cycle into a period that could safely be described as volatile. Bernanke was not the only person who missed the boat. None of this was supposed to be possible. Looking back on it, there is one glaring question: How did we not see it coming? A constellation of economic theories and policies developed and adopted over the course of the previous 30 years had radically transformed our understanding of risk. The Efficient Market Hypothesis, developed by academics at the University of Chicago, which declared that financial markets were efficient because investors were a) driven by rational expectations and b) learned from their mistakes was transformed from a hypothesis into an ironclad law of nature. Risk management tools such as value at risk (VaR) employed by investment banks gave the illusion that risk could be easily quantified and therefore easily managed. The financial industry’s understanding of risk became narrower and narrower which opened them up to greater and greater losses because their narrower understanding made them less equipped to deal with these losses because they couldn’t even conceive of them. This great edifice of theory and belief collapsed when the simple reality that people who cannot afford to purchase homes cannot afford to purchase them began to assert itself. What occurred in the aftermath is known as a Black Swan event, a name popularized by the iconoclastic philosopher-trader-risk expert Nassim Nicholas Taleb, who used the example of the discovery of black swans in Australia (only white swans were thought to have existed) to demonstrate how our worldview is susceptible to being overthrown by events and developments we thought impossible or never thought of at all. Because these events, also known as fat tail risks, lie outside of our purview, they have a small chance of occurring which is why they are ignored, but when they do occur, they transform everything. What Taleb is offering is a way of thinking about risk that does not seek to predict black dwan events but rather seeks to build systems that are strengthened by the occurrence of a Black Swan event rather than weakened, a concept known as antifragility. The philosophical distinctions and intricacies that Taleb articulates are not worth getting into in this post, but the larger point that Black Swan events occur and that fat tail risks are real, has critical implications for our business and the work we do at Jungle Disk. Cybersecurity Risk Management The cybersecurity industry, despite all of its manifold complexity and all of the various niches and products that are filled and offered, really boils down to risk management. Every business has to think about risk, but the portfolio of risks are generally limited to everyday concerns particular to that business. There is nothing wrong with this approach, but it leaves businesses open to catastrophic damage by black swan events. It makes them fragile. In January 2016, no small healthcare practice would have conceived that they would be vulnerable to catastrophic data loss as a result of a global ransomware attack emerging from North Korea that used stolen NSA technology. And yet they were and this black swan event, something that lay far outside the normal set of risks that health practices think of, caused hundreds of millions, if not billions, of damage. Here at Jungle Disk, we take this especially seriously given the nature of our clients: small- and medium- sized businesses who don’t have large strategy departments or the resources to engage in large-scale enterprise risk management. Jungle Disk exists to think about a particular segment of risk so that our clients don’t have to.