VIEW 2 The four quadrants of risk

2. The four quadrants of risk

“There are things that we know we know.
We also know there are known unknowns;
that is to say there are some things we know we do not know. But there are also unknown unknowns, the ones we don’t know we
don’t know”

That was Donald Rumsfeld trying to explain the lack of nuclear weapons after the invasion of Iraq to the assembled press corps in February 2002. The audience was completely bamboozled. Understandably so, because Rumsfeld was using the word “known” to mean two different things; known meaning ‘aware of its existence’ and also known in the sense of being a quantifiable or predictable entity. Separating out these two senses of the word gives us the four quadrants in the diagram to the right. You will notice that Rumsfeld forgot to mention the fourth quadrant: unknown knowns. These are things your colleagues know, but you don’t. Ironically, it was this risk quadrant that cost Rumsfeld his job when he was forced to resign because of the Abu Ghraib prison atrocities.

2. The four quadrants of risk

Cyber risk moves anticlockwise
Applying these risk quadrants to a cyber context, we can see that cyber risk travels in an anticlockwise fashion. Starting in quadrant three, unknown unknowns – sometimes called ‘black swan’ events – are events that have never happened before, so we are completely unaware of them. This was generally the case for cyber risk 20 years ago. But once the first attack of a certain type occurred, let’s say ransomware for instance, it moved into quadrant two as a known unknown. Awareness dawned that that type of attack vector existed, even if it was hard to quantify when or where such an attack might take place.

Today we stand on the threshold of quadrant one, with cyber-attacks happening so often that there is a reasonable historic data set with which to quantify the risk. So, there is at least some small upside to the increasing frequency of cyber breaches; actuaries have a richer statistical input for their models enabling better pricing of risk.

In summary, each new emergent cyber threat moves from quadrant three to quadrant two and then on to quadrant one. From unthinkable, it passes through uncertainty to end up as commonplace.

Astute readers will notice we have ignored quadrant four, as Rumsfeld did. Fear not, we pick up this thread in View #24.