Managing Information Security is Managing Uncertainty

If we have learned anything during the last 2 years, during the pandemic, it is that life is uncertain.

The world around us is only predictable, or even understandable, to a certain limit. Beyond that, events are in many cases uncertain. And we have all seen how difficult it is to make decisions under uncertainty. Measures to contain the pandemic, were taken in one week, and communicated about with confidence, explaining the necessity, only to be withdrawn or even reversed the next week. This is not wrong. Nor stupid. This is what decision making under uncertainty means: one does not know the probability of an event, not the impact of events, let alone the impact of measures. This is not wrong. This is hard.

I think that information security is about decision making under uncertainty. Information Security in 2022 is not about certain, preventable events, not even about probable events that can be managed as risks. No, information security is about fundamentally unknowable probabilities and unknowable impacts. Information security nowadays is about managing uncertainty.

Indeed, uncertainty can be managed. But it is important to understand the difference between risk and uncertainty, as the two notions require very different strategies.