Managing Information Security is Managing Uncertainty

Martijn Dekker
9 min readMar 19, 2022

If we have learned anything during the last 2 years, during the pandemic, it is that life is uncertain.

The world around us is only predictable, or even understandable, to a certain limit. Beyond that, events are in many cases uncertain. And we have all seen how difficult it is to make decisions under uncertainty. Measures to contain the pandemic, were taken in one week, and communicated about with confidence, explaining the necessity, only to be withdrawn or even reversed the next week. This is not wrong. Nor stupid. This is what decision making under uncertainty means: one does not know the probability of an event, not the impact of events, let alone the impact of measures. This is not wrong. This is hard.

I think that information security is about decision making under uncertainty. Information Security in 2022 is not about certain, preventable events, not even about probable events that can be managed as risks. No, information security is about fundamentally unknowable probabilities and unknowable impacts. Information security nowadays is about managing uncertainty.

Indeed, uncertainty can be managed. But it is important to understand the difference between risk and uncertainty, as the two notions require very different strategies.

An example can illustrate this. If you were given the option, to draw a ball from the first vase or from the second, which one would you choose if the first vase contains exactly 50 red balls and 50 black ones, the second vase has an unknown mix of red and black balls, and drawing a red ball means you win?

And which vase would you choose if drawing a black ball means you win? Clearly one should not choose the same strategy in both cases, but people almost always choose the first vase, with the known mix of red and black, regardless the winning condition. This is an example of Ellsberg paradox. It turns out that most people choose to draw a ball from the first vase, giving them a 50–50% chance of winning. But perhaps the second vase contains only red balls and no black balls. Or the other way round. It turns out people prefer to take…

Martijn Dekker

Martijn is a PhD, top-executive, scientist and CISO with more than 25 years of experience pushing the limits of information security.