Skip to content

Black swans eat your risk assessment


Within Cyber Risk Management, we find specified risks and Black Swans in a perpetual duel. Specified risks are the known metrics based on assessments, while Black Swans are the unpredictable, game-changing events that swoop in when least expected. We take great care to identify, assess and evaluate cyber risks, e.g. based on application risk assessments, pentests, vulnerabilities, and policy deviations. However, these risks then appear on different layers. Aggregation is complex, and only one simple vulnerability can ripple through the business. Cyber security teams spend high efforts on trying to quantify every single vulnerability for a monetary value, and at the same time pull out from a central perspective as business units are accountable for the cyber risk that come with their applications.

A Financial Balancing Act

So, is the management of specified risks a waste of time, given the unpredictable nature of Black Swans? Not quite. It’s like building strategies in chess; you need to know the regular moves but also be prepared for the surprise checkmate. Focusing solely on specified risks could lead to a financial faux pas, leaving entities vulnerable to the unexpected and impactful moves of the Black Swans. However, specified risks let us precisely apply mitigation measures and prioritize what should be done first. Still, as companies fear large investments and on the first sight seemingly endless projects, we tend to mitigate single risks while missing out to tackle the overarching, systemic risks. With vague risk management, we must intensively search the single paths that attackers can take to materialize their objective. Threat models and red teaming can help with that.

Overfitting feels secure

Overfitting in risk mitigation strategies occurs when we fine-tune our defenses based on past experiences, overlooking the possibility of new, unprecedented threats. So, when we only look on the specific risk we manage and possibly even feel secure as we define mitigation measures, we miss the big picture. This doesn’t mean flooding the board with pieces (risks) but placing the right ones and having the resources ready to make a move when necessary. While the CISO plays a critical role in managing specific technical risks, the real challenge lies in maintaining a bird’s-eye view of the digital infrastructure. By understanding the interplay between specified risks and the potential for Black Swan events, organizations can develop a more robust and dynamic cyber risk management strategy.


For a business-driven approach, there is nothing wrong with having only few cyber risks in your corporate risk management system, if you actually put the respective money aside. At the same time, trying to quantify specific technical risks often leads to – at best – vague results. These specific risks need to be managed by your CISO centrally. Plus, you need to overview the chess board and tackle the risk that lies in your company’s digital infrastructure. In case of a high impact cyber incident, you need widely framed cyber risks that help you measure the runway on how long the business can survive until you run out of liquidity or lose significant clients. On the lower level, you need to manage specific risks in order to identify insecure developments and applications. In any case, cyber security teams are responsible to oversee the risk posture and provide the business units with a secure environment.

1 thought on “Black swans eat your risk assessment”

  1. I have been surfing online more than 3 hours today, yet I by no means found
    any interesting article like yours. It is pretty worth sufficient for me.
    In my view, if all site owners and bloggers made
    excellent content material as you probably did, the internet shall be
    a lot more helpful than ever before.

Leave a Reply

Your email address will not be published. Required fields are marked *