The predictability and understandability of the world around us is limited, and many events are uncertain. It can be difficult to make decisions in these uncertain circumstances, as demonstrated by the changing measures taken to contain the COVID-19 pandemic. These decisions are not necessarily incorrect, but rather a reflection of the difficulty of decision making under uncertainty, where the probability and impact of events and measures are unknown. Information security is rapidly positioning itself around making decisions in uncertain situations. Which means that, it is not just about preventing or managing probable risks, but rather about dealing with unpredictable probabilities and effects. To contend with, information security leaders should therefore include strategies that reduce uncertainty and hence improve the quality of decision making. Risk assessment is a principal element of evidence-based decision making, especially in an ever-changing cyber threat landscape that constantly introduces uncertainties. Thus, it is essential to recognize that addressing uncertainty requires a new methodology and risk analysis approach that considers both known unknowns and unknown unknowns. To address this challenge, we propose the threat-intelligence based security assessment, and discuss a decision-making strategy under uncertainty, both of which support decision makers in this complex undertaking.
翻译:我们周围世界的可预测性和可理解性有限,而且有许多事件是不确定的,在这些不确定的情况下,可能难以作出决定,例如为遏制COVID-19大流行而采取的不断变化的措施,这些决定不一定不正确,而是反映了在不确定情况下决策的困难,因为各种事件和措施的概率和影响都不为人知。信息安全正在迅速围绕在不确定情况下的决策定位。这意味着,不仅仅是预防或管理可能的风险,而是处理无法预测的概率和影响。因此,信息安全领导人应该包括减少不确定性的战略,从而提高决策质量。风险评估是循证决策的一个主要要素,特别是在不断变化的、不断造成不确定性的网络威胁环境中。因此,必须认识到解决不确定性需要一种新的方法和风险分析方法,既考虑到已知的未知因素,又考虑未知因素。为了应对这一挑战,我们提议基于威胁的安保评估,并在不确定性下讨论决策战略,两者都支持这一复杂工作中的决策者。</s>