Many times in my life I have planned activities, checking the weather forecast during the preceding days, hoping that rain was not going to impact my scheduled event.
I have always been curious about this chance of rain, after all what does a percentage mean when it comes to the weather? for example on Sunday there is a 50% chance of rain as forecast today. So I have to plan for the possibility that it is going to rain as 50% likely or unlikely (depending on my feelings of positivity for the day).
The accuracy of the weather forecast has been a question for many a ruined or rescheduled event holder so I will not discuss this any further here (you have my sympathy).
So, the actual definition of this “Chance of rain” varies depending on the location you are requesting the forecast for, as an example, the Australia Bureau of Meteorology uses percentage as the chance that there will be rain during the 24 hour period, where as the USAmay use a percentage to suggest that 50% of their viewership in a given location will experience rain during this 24 hour period.
The “worst case” for my planned event was that I would have to reschedule or more devastatingly ruin, along with financial or emotional consequence. Because the weather is the risk in this scenario the likelihood of this “worst case” was high with a 50% chance of rain. A 50% chance of my “worst case” outcome meant I made arrangements to mitigate this, I am a calculating individual after all……. this cost me more as I needed to arrange a plan B but the additional cost was minimal compared to failing and I had mitigated the “worst case” outcome with a 10% higher total cost for my activity.
What is the likelihood of “worst case” in any given situation? “Worst case” is quite possible, and obviously devastating.
In cyber resilience circles (and many risk scenarios) we may use the term “worst case” to explain the most problematic outcome that can occur in relation to a cyber breach or incident, this term “worst case” to our board of directors and managers, might appear to mean “unlikely”, i.e. a “worst case” scenario is extremely uncommon therefore planning for something so improbable takes a back seat to what seems more current and pressing issues.
In reality “Worst case” is not at all unlikely, it is simply the potential negative effect of an event and is just as likely as any other scenario for a given set of circumstances and inputs.
A worst case scenario can have a 50% probability of occurring or it can have a 10% or 1% probability, none of these would I be prepared to bet against where the result is devastating for a business, the employees or their customers. Even at 1 in 100, the odds are stacked against you when you can not “see” what the other “side” is doing, 24 hours per day 7 days per week, per attacker.
As cyber security practitioners the term “worst case” is easily misinterpreted by the business leaders you are guiding and therefore may lose impact. This renders whatever “worst case” scenario as just another unlikely possibility, when in fact a “worst case” incident could be very likely and completely devastating.
In planning around risk use the term “worst case” sparingly, be aware that the interpretation of a “worst case” event happening may not be as you intend it to be and be sure to assign more detail to any “worst case” scenario you are presenting.
Or even better don’t use the term “worst case” at all, teach your business leaders and board members that cyber resilience is about improvement and raising your maturity, not “worst case” situations,as at the end of the day if you focus efforts on the negative there will be no improvements ever.
As far as a the weather forecast is concerned, my personal acquired experience and wisdom is that 50% likelihood of rain is just as random and unlikely as 10% chance! Please don’t trust the weather forecast!