The Cyber Butterfly: Risk Management Challenges

Every person realizes, at least I hope they do, that society is moving into a new state of being: a new realm, if you will, that is being continually reshaped by four technological forces: digitalization, mobility, the Internet, and the cloud. (I’ll use the “web” instead of “the Internet” going forward but please realize I’m using the GUI version of the Internet for the sake of brevity.)

I believe that the confluence of The Butterfly Effect (much more below) and the new realm has significant implications for risk management.

What’s in a name?

I have several names for this new realm: 1) the mobile, digital, cloud-enabled, web-accessible transformation of the marketplace (and society), 2) the digital age, 3) the digital era, 4) “the cyber age”, or 5) “the cyber era”. In my book – written during the Pandemic – titled “From Stone Tablets to Satellites: The Continual Intimate but Awkward Relationship Between the Insurance Industry and Technology” (published by Wells Media Group, Inc. in June 2022) I call it the 5th Technology Era.

But the name, whatever name you like, is just a label providing some indication regarding what the era is all about. I submit whichever of the labels I mentioned that you choose, it is still hiding an essential truth of both this cyber age and previous eras.

The changing mix of digital and physical artifacts

The essential truth is that in previous eras, society has been entirely or mostly populated and involved with physical artifacts. Physical artifacts were the essence of the Agrarian Era and the Industrial Era. Our thought processes during those eras were of sequential actions, of ‘if this – then that’, and of pulleys and levers.

During the Information Era, society realized that physical artifacts had some degree (or density) of data and created capabilities to extract and use that data. Of course, during this era, society also digitized many data artifacts, including at a minimum: forms, documents, correspondence, communications, and meetings.

Now, during our current mobile, digital, cloud-enabled, web-accessible era (e.g. Cyber Era), the number and nature of digital artifacts continues to expand and simultaneously become connected to the web. Moreover, physical artifacts are also being connected to the web (with IP-enabled sensors attached to them or embedded within them) carrying the up-to-date abbreviation of IoT. Finally, seemingly every web connected artifact (digital and physical) is becoming interconnected and, increasingly, interdependent. (Note: IPv6 can’t come fast enough.)

Physical artifacts remain: they’re not going to disappear. But, the mix of digital artifacts to physical artifacts continues to skew heavily towards the numerator.

The web as holistic hub

During the Cyber Era, the web became and is increasingly becoming a holistic hub (inter)connecting people (using IP-enabled devices) and IP-enabled: animals (including farm animals and pets), household devices, toys, companies, schools, entertainment venues, personal vehicles, commercial vehicles, and computers. Their location on the planet is irrelevant and each is available on smart, mobile hand-held communication devices.

Our thinking has expanded (or should be expanding) – through all the era’s – beyond sequential to include asynchronous, simultaneous, and holistic viewpoints. But, I submit that our ‘if this – then that’ thinking continues to persist as a mainstay mental model.

The Cyber Butterfly Makes It’s Appearance

The Cyber Butterfly is a logical construct of a digital ecosystem. It is an important reminder to risk managers that thought processes – with their associated algorithms, models, and analysis – that were appropriate in previous eras won’t be appropriate to manage emergent risks in the Cyber Age.

Question: Why is mentioning the Cyber Butterfly important?

Answer: The confluence of the four technologies – and their associated applications – of digitization, mobility, web, and cloud have been forming, and continue to form an ever-expanding interconnected and interdependent digital ecosystem.

There is a significant amount of discussion of the technologies – individually and as a group of four – but not as much discussion of the risk implications of society, businesses, and individuals as I believe there should be.

I’ve heard several times from insurance professionals that “risk professionals can handle cyber risk just as they have handled the multitude of risks that have emerged throughout the previous centuries”. However, those historic risks were focused on physical artifacts, the digital content of physical artifacts, or the expanding portfolio of digital artifacts alone or in combination (with each other and/or with nature).

The risks in the other eras didn’t emerge or exist from an ever-expanding global interconnection and interdependence of people, businesses, and ‘things’ because it would have been impossible to happen at that time: now, in the Cyber Age cyber risks can, do, and will continue to exist. (Yes, digital risks occurred as soon as the first computer appeared but I’m focusing on cyber risks – risks from an interconnected and interdependent plethora of digital and physical artifacts.)

The Cyber Butterfly is my suggested signpost that several associated concepts have come into play that need to be understood – at some minimal level – to think about, identify, and manage the risks (where and when possible) of the Cyber Era:

1. The Butterfly Effect
2. Chaos Theory
3. Complex Adaptive Systems
4. Ecosystems

(Note: All the far too brief discussions below of the four concepts are from Wikipedia. Each of the four have untold volumes of books written about each of them individually and also some combination of them.)

The Butterfly Effect

The Cyber Butterfly is a digital instantiation of the insect featured in Lorenz’s “Butterfly Effect”. From Wikipedia:

“In chaos theory, the butterfly effect is the sensitive dependence on initial conditions in which a small change in one state of a deterministic nonlinear system can result in large differences in a later state. The term is closely associated with the work of mathematician and meteorologist Edward Norton Lorenz.

He noted that the butterfly effect is derived from the metaphorical example of the details of a tornado (the exact time of formation, the exact path taken) being influenced by minor perturbations such as a distant butterfly flapping its wings several weeks earlier.”

Chaos Theory

“Chaos theory is an interdisciplinary area of scientific study and branch of mathematics focused on underlying patterns and deterministic laws of dynamical systems that are highly sensitive to initial conditions, and were once thought to have completely random states of disorder and irregularities. Chaos theory states that within the apparent randomness of chaotic complex systems, there are underlying patterns, interconnection, constant feedback loops, repetition, self-similarity, fractals, and self-organization.”

Complex Adaptive Systems

“A complex adaptive system is a system that is complex in that it is a dynamic network of interactions, but the behavior of the ensemble may not be predictable according to the behavior of the components. It is adaptive in that the individual and collective behavior mutate and self-organize corresponding to the change-initiating micro-event or collection of events. It is a “complex macroscopic collection” of relatively “similar and partially connected micro-structures” formed in order to adapt to the changing environment and increase their survivability as a macro-structure.”

Ecosystems

“An ecosystem consists of all the organisms and the physical environment with which they interact. Ecosystems are controlled by external and internal factors. Ecosystems are dynamic entities—they are subject to periodic disturbances and are always in the process of recovering from some past disturbance.”

A Digital Twin Ecosystem Emerges

There are many uses of the term ‘ecosystems’ throughout society, business, and technology. One common usage of the term means a portfolio of businesses and technology partners linked together by Application Programming Interfaces (APIs).

However, in this blog post, I do not use the term “ecosystems” from the perspective of API usage but rather from the perspective of natural ecosystems, as described above in the Wikipedia description. That specific perspective has lessons for business and digital ecosystems.

For me, an ecosystem is a complex adaptive system with chaotic arenas embedded in it.

More specifically, society is building a Digital Twin Ecosystem (implicitly except for the people wanting to or actually building ‘smart cities’) through the use of the four technologies (and their applications): digitization, mobility, web, and cloud to support customer, commerce, and corporate objectives.

Increasingly every person, business, physical artifact, and digital artifact will be, and is becoming, interconnected and interdependent (e.g. fish tanks, home smart appliances, personal vehicles, commercial trucking fleets, bee’s [yes, bee’s], cattle, …)

Source: Image from Bing.com

The above visual does not even begin to reflect the reality of the scale, scope, and reach of what is happening and what will happen in the still forming Digital Twin Ecosystem.

The primary result is that society is quickly moving to operate (e.g. live, work, consume entertainment, communicate, shop) in a complex adaptive system. A secondary result is the emergence of current and future risks that couldn’t occur in previous eras for reasons I already stated.

(When I think about future cyber risks, I flash back to a scene in the HBO series “Game of Thrones” when Lady Olenna says “”That was my prize mistake. A failure of imagination. She’s a monster, you do know that?” speaking of Cersei”. I believe that the essential principles and characteristics of a digital ecosystem will: 1) minimize the impact of whatever imagination cyber risk modelers have, and 2) always keep the cyber attackers several steps ahead.)

Principles and Characteristics of an Ecosystem

Delving a little deeper into ecosystems, there are four overarching principles and four characteristics that describe ecosystems (whether natural, business, or digital ecosystems). (See visual below.)

Source: “From Stone Tablets to Satellites: The Continual Intimate but Awkward Relationship Between the Insurance Industry and Technology”, by Barry Rabkin June 2022 Wells Media Group, Inc.

Principles of an ecosystem

1. The ecosystem itself continues to change as various forces act on it (e.g. catastrophes, introduction of new species, the disappearance of existing species) and simultaneously within it (e.g. the continual predator / prey dynamic)
2. The rules of survival and adaptability change as the ecosystem changes.
3. Outcomes are unpredictable in terms of scale and scope
4. The co-evolution (between predator and prey) dynamic itself drives evolution (of predator, of prey, of the ecosystem itself).

Characteristics of an ecosystem

1. Being Aware: Also known as “sense and respond”. Participants in an ecosystem have to understand the pertinent events happening in the environment – introduction of new competitors, introduction of new technology and its applications, introduction of new applications of existing technology, changed or new regulations, shifting demographics and associated expectations – and develop, possibly pilot, and implement requisite initiatives.
2. Self-Organizing: Continual realignment with the changing marketplace. Ecosystem participants will develop (are developing!) organic processes independent of central control that enables them to continually alter their current modes of attack.
3. Creating Perpetual Novelty: Biologists call this characteristic the need for never-ending newness. In the natural ecosystem, prey develops new capabilities to better fend off predators, while successful predators counter with their own evolutionary innovations.
4. Learning Under Pressure: In the natural ecosystem, biological species survive by adapting as quickly as the rate of transformation of their predators and of the ecosystem. In a business or digital ecosystem, competitive advantage, no matter how short or long a period of time, comes to the firm (firm that has been cyber attacked or the cyber attacker) that learns the most quickly.

Who is going to learn from the principles and characteristics ecosystems first? And continue to learn – and adapt more quickly? Cyber defenders or Cyber attackers? And why should insurance companies pay for the never-ending ‘difficult to model and measure’ the back-and-forth digital action (where the odds are ever in favor of the predators)? (Apologies to the character Effie Trinket from the “Hunger Games” movie.)

Traditional Sources AND Cyber Risks

I continue to posit that risk managers are being faced with, and will continue to be faced with, new and unique risks during the Cyber Age. However, traditional risks are not going to disappear either at all or not that quickly. (That’s certainly worth some effort of research over the months and years ahead -How many “traditional risks” are themselves going to continue to appear on the risk landscape?)

In my book “Stone Tablets to Satellites”, I discuss five macro focal areas of risk (see visual) that are sources of risk either alone or in combination with each other (and, of course, each macro area of risk with people). The Digital Artifacts area only begins to touch on the risks found in the Cyber Age – in my next book focusing on insurance and cyber I plan to delve much further into the sources of cyber risks.

Source: “From Stone Tablets to Satellites: The Continual Intimate but Awkward Relationship Between the Insurance Industry and Technology”, by Barry Rabkin June 2022 Wells Media Group, Inc.

However, I believe that the risks of the previous eras do not necessarily serve as a foundation to identify, model, and predict losses of the current and emergent risks of the Cyber Age.

Why?

There are a panoply of economic, market, political, and societal reasons why the risks in the Cyber Era are markedly different. But for the purpose of this risk management-focused blog post, I believe the critical differences are that:

1. Cyber risks are different in kind rather than different in degree.
2. The expanding scale of cyber risks (and their associated losses) are, or will increasingly become, many magnitudes different from those in the previous eras.
3. Cyber risk management demands multi-dimensional non-linear approaches to understanding them, modeling them (if that is even possible), and limiting the losses they cause.
4. Professionals responsible for securing their companies from cyber risks are, themselves, at risk of fines, arrest, and imprisonment (or probation). Today CISOs. Tomorrow CIOs, CTOs, CFOs, and Risk Managers ?

Final Thoughts

In a digital ecosystem, the past risk management experience (including with its associated learned underwriting and pricing skills), along with the accompaniment ‘if this – then that’, asynchronous, simultaneous, and holistic thought processes is, at best, necessary and far from sufficient.

Nonlinear thought processes, algorithms, models, and analytics are required to understand and manage the risks that are or could emerge in a digital ecosystem. Some degree of knowledge of complex adaptive systems – with perhaps a touch of understanding of chaotic systems) would also help.

However to succeed at risk management, (prey aka digital victims who have been cyber attacked or who will be cyber attacked [initially]), cyber risk loss modeling firms, and (re)insurers need to keep one truth in mind:

In an ecosystem (natural, business, or digital), it is impossible to “see around corners”.

Note: In the early part of the 2000s, I had a wonderful opportunity to partner with Dave Bradford to research complex adaptive systems and chaos. Our focus was to learn the lessons that natural ecosystems have for business ecosystems. The results of our research were articles for Best Review, Resource Magazine, and several presentations to insurance audiences. I have excerpted some of our results in this blog post.

Soon after we completed our research, I joined Advisen and reported to Dave on the editorial team tasked with doing the Front Page News and writing research reports including Management Liability, D&O (which I needed a lot of help with), and Intangible Assets.