We have to ask ourselves; at what point does an unexpected outcome via expert prediction justify a prison sentence?
Minutes after I delivered cyber risk assessment results to my Italian client, I heard the news – six Italian scientists and a government official have been sentenced to six years in prison over statements they made prior to a 2009 earthquake that killed 309 in the town of L’Aquila in Italy.
The offense? Manslaughter.
This group was comprised of well-respected members of the National Commission for the Forecast and Prevention of Major Risks which apparently the public had deemed as being able to predict the precise outcome of a natural force. Because they inaccurately assured locals that they were in no danger from the earthquake, the court saw this as a direct parallel to manslaughter.
While this conviction may bring about a sudden sense of justification to a revenge-seeking general public, it compromises experts everywhere.
Yes, including cybersecurity and risk management professionals.
Think about it.
Our exact position as security and risk management professionals is to predict doom and gloom. We are careful about the assumptions we make, we try to build in as much scientific rigor as possible in our process and quantify the risks the best we can, but the reality is that all our predictions are a range of outcomes and their likelihood. Even one-in-a-million outcomes happen occasionally (well, once in million times)… We communicate our findings in the most precise way possible to audience that often doesn’t understand statistics. We sometimes even temper our message and try not to sound too pessimistic as we understand that businesses have to balance security with growth, innovation and fast reactions to the market.
After the results of this court case, why would we ever communicate less than the worst possible outcomes or stray from the most pessimistic prediction?
What this court decision does is serves as a permission slip for people to use experts as scapegoats when they don’t like the outcome.
For the experts, it means that we should always predict the most terrible possible result and present that to our clients. Not because we think it it’s the most likely outcome, but because we can’t prove that it isn’t. While this may not be how we are accustomed to evaluating security threats, it may be the only thing that can keep us out of jail.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.