What surfing taught me about cyber risk management

I surf; not well, but I can consistently get up on a board. Yet, for the longest period of time, there was no progression in my skills and there was a very limited set of conditions in which I felt comfortable paddling out. Classically, you’d call this a rut. And I couldn’t figure out why my skills weren’t improving. It wasn’t until I began looking at my surfing practice more systematically that I saw marked improvements – and, as it happened, I stumbled on some insights that have helped me think more coherently about cyber risk management and risk quantification.

I think risk management (broadly) and cyber risk management (specifically) has been in a similar rut for some time – and could use some conceptual enhancements to help us all better understand and communicate cyber risk. My hypothesis is that rather than viewing cyber attacks in a vacuum at the point of impact, we should step back and think about the dynamics that drove the attack in the first place and evaluate the risk more systematically.

The point here isn’t that wave forecasting can provide advanced warning or predictive analytics for cyber attacks; rather, by studying and better understanding the component elements of ocean wave forecasting  we can think more concretely about concepts that have heretofore been difficult to articulate and navigate because too often we think about risk in a vacuum as opposed to risk as a part of a broader complex system.

Before proceeding:

• I highly recommend the book, “Surf Science: an introduction to waves for surfing” by Tony Butt, from which I have extracted and adapted and extracted the science below. Even if you have zero interest in surfing, you’ll find this book really interesting and informative. You’ll see the ocean differently – and you may extrapolate some of those concepts in your risk management role or, at the very least, have a better appreciation for the awesomeness that is the ocean. Another quick 4 minute primer will help you see visually some of the concepts I’m trying to capture below and might be helpful to you.
• For the record, I’m about as much of a marine biologist as George Costanza. I am not a scientist, oceanographer, marine biologist or anyone who is remotely qualified to tell qualified people things about the ocean – just a guy who read a book during quarantine and thought some of the book’s concepts were relevant to something I am passionate about: quantitative risk management. And I am radically oversimplifying many of these concepts for the express purpose of helping to create a mental model – I hope you find it useful and perhaps build on it in your own way. 

With those caveats, let’s start (and finish) with the basics. From the point of reference of a surfer on the beach looking out at the sea, four key variables – and their complex interaction with each other –  impact the instantiation of what we know and think of as waves as they approach the shore…and will impact your surfing or day in the water:

1. Winds – pressure differentials drive how air flows across the surface of the water, which in turn drives the formation, sustainment, and build of waves as they traverse the oceans
2. Swells– the force or energy that is imbued into the water from winds and which propagates and distributes the waves thru space
3. Bathymetry – fancy word for shape and contour of the sea floor (Example: waves will interact differently with a sand bottom than, say, a coral reef)
4. Tide – the seasonally-impacted alternated rising and falling of the sea due to the complex interplay of the pull of gravities from the sun and moon

A visible ocean wave as it approaches the shore in essence is the instantiation of these variables at a given point in time and space – and, it is derived from component variables.  This is analogous to risk in it most basic form (Asset-impact/Threat/Vulnerability).

These four core forces interact with each other in surprising and counter-intuitive ways through such phenomena as amplification or cancellation.

We see a wave only at the terminal phase of its journey through the oceans – much like a cyber attack. But we can look broadly at the distinct variables that can help evaluate cyber risk through a systems approach.

Key ocean-wave variables	Surf & ocean context	Cyber risk context
Wind	Pressure differentials drive how air flows across the surface of the water, which in turn drives the formation, sustainment, and build of waves as they traverse the oceans	Look at high and low pressure systems forming out in the “ocean” and see how these may change your assumptions. Who would target your organization and why? A rapid change in the geopolitical landscape can change the assumptions about your threat landscape.
Swell	The force or energy that is imbued into the water from winds and which propagate thru space. Multiple swells (from different storm systems) can simultaneously amplify or cancel forces.	How organized and strong (e.g. skilled) are the threats as they approach a given coast and how does your bathymetry impact the swell?
Bathymetry	Shape and contours of the Ocean floor.	What are the external contours of your organization or network– how do the swells (threats) interact with the bathymetry of the organization to amplify or cancel waves?
Tides	Waters’ rise and fall.	Timing is critical in cyber attacks. From an attacker’s perspective: the right attack at the wrong time can amplify an organization’s vulnerabilities. Business cycle and business operations can create temporary or periodic vulnerabilities. Security professionals can’t control these cycles but we can often times see how business trends can impact an organization’s vulnerability. A business that is seeing slowing revenue growth or compressed margins might be less inclined to make security investments.

So, an effective cyber risk management program should help you manage these complex forces just as a surfer subtly use the principles of physics to ride a wave.

And while the scope of this humble article can’t cover the concept of the Coriolis force, it’s worth referencing. The Coriolis force is related to the dynamics of air pressure and is “a fundamental mechanism in oceanography and meteorology” that “affects ocean currents as they move around the globe.” Said another way, the Coriolis force helps explain the four variables’ existence in the first place. In the context of this article, I tentatively think of this force as akin to the dynamic geopolitical landscape we find ourselves in – where there are proxy battles being waged between in cyber space between and among nations, cybercriminals, and other nefarious cyber actors.

Small changes in the Coriolis effect in the southern hemisphere of the Earth can have profound impacts as those four forces interact over wide distances – it’s worth noting the genesis of an attack on your network could have seeded long ago and due to forces that couldn’t be predicted or expected.

Your existing cyber risk management program probably proceeds to identify, evaluate, manage, and mitigate risk endogenously – that is, looking inwardly and systematically at your vulnerabilities and how those vulnerabilities, when acted upon by an outside force (threat), contribute to some negative operational, reputational, financial, legal, regulatory impact(s).  I hope this analogy to waves, and how it was used to improve my surfing, has given you some food for thought.  Looking at threats and attackers differently can improve your organization’s risk management capabilities. 

Photo: Tracey Roberts / South Africa Surf Tours. Joe pictured at Muizenberg Beach, South Africa.