How to Measure Your Risk on the Internet

Notice how it suggests "YOUR" risk. Not their risk, or the Internet's risk, but YOUR risk. Once a system becomes sufficiently complex, it becomes almost impossible to try and measure total risk. It's simple- Risk isn't an attribute of the larger system, risk is a measurement of YOUR involvement with the system. It determines, for better or worse how changes in the system can produce harm TO YOU.

Governments and other large bodies tend to get distracted by what they call systemic risk. Instead of solving the smaller failures in some of our weakest links, they try to create a fix-all package that ends up either solving nothing, or worse, creating more risk in the system. What? The banking system is in trouble? Here's a billion dollars. The result? The banks are moderately stable, but consumer debt is at all time highs with interest rates on the rise. Did we make things better, or worse?

Now, you might suggest, what about total systemic collapse, we should be able to measure and protect against that, right? Wrong. You can't. You can certainly protect and insure against a 1, 2 and 3 standard deviation scenario, but that's why they're called black swans. They're rare and nobody can predict where they're likely to come from, which is why they're multi-standard deviation scenarios. If you could predict them, they'd be measurable and therefore wouldn't likely cause a systemic collapse.

Screen Shot 2018-10-20 at 10.09.11 AM.png

Think about the recent rise in the stock market. Think about how this all started- a multi-system failure of the various large banks, in which we were TOLD we were … all going to die. As dire as the circumstances where, look what happened. While the system started melting down a bit, the result was actually one of the largest bull markets IN HISTORY. No matter what anyone said back in 2008, 2009, history as proved they were emphatically wrong about the consequences. For at-least a few years anyway. Again, we're not sure if we're better or worse off, but the economy didn't evaporate because of it.

They were also wrong in thinking the system wasn't sufficiently complex enough to HEAL ITSELF. The same is true for other systemic meltdowns such as 1929, 1987 and 2001. These historical events prove, while certain [over-exposed] participants did get wiped out, the system as a whole simply become more complex and resilient as a result. Not only that, participants who understood this and were able to take advantage of it.

A number of years ago I was involved with a project that set out with a very simple goal: Can we measure the systemic risk and health of the Internet. It was an ambitious goal, but one I like to think we could have helped solve. Over a number of years we threw a bunch of different ideas against the wall to suggest "if we reached a tipping point of this metric, will the Internet melt down?". We tried everything from DDOS attacks to Ransomware insurance risks to "what happens if someone bombs Virginia and AWS goes down?".

TL;DR: While you can, the results don't really matter and you can't stay solvent long enough to make a difference.

The Internet is sufficiently complex enough that whatever risks are identified will be absorbed and accounted for by the time they are well understood by the market. In the late 70's too much of the Internet was concentrated in too few players, it was commercialized. In the 90's too much of it was in AOL, Prodigy, Compuserve, protocols were developed and little mom & pop ISPs started popping up. In the late 2000's there were too many "central banking system" constraints on financial transactions around the world, blockchain was "invented". I use 'invented' here loosely. Ledger technology isn't new, anyone who has a mortgage knows that. It was just popularized and scaled to meet the demands of a global economy.

Could the Internet melt down and cause catastrophic loss? Sure. Does that really matter? If you can get away with some centralized approaches to the web, while in the meantime building towards a more resilient approach down the road, is the emanate risk of loss much more than just the standard cost of doing business? Is that risk [to your business] greater or less than the risk of you getting into a car accident on your way to work?

Think about that last statement for a minute, because it's important. The elegance of a sufficiently complex system is millions, if not billions of smaller subsystems all independently determining self risk on a relative micro scale. Of which, results in the sufficiently simple yet extremely resilient outcome of a complex system. If all those smaller systems are making risk based decisions in their self interest at the local level, it means they'll likely have a better overall chance of being in business tomorrow. If they're in business tomorrow, there's a likely chance the system as a whole will continue to function.

Does that mean we shouldn't try to measure global risk? No, not at all. In fact as a small retail trader I almost always long my house, family and career, but carry short delta against that everywhere else. Why? I'm always of the opinion, that no matter how well the global system is humming along, most people over leverage on its resilience. Over time the system will accumulate too much "efficiency" (a lack of real resilience) and need to shake it out. I want to be in a position to capitalize on that, because if i'm not… who else will help pick up the pieces?

The same can be said for helping to protect the integrity of the Internet. Will there be times when bad things happen and the Internet needs to re-adjust? Yup. What are some of the things you can do to maintain your agility when this happens?

  1. Monitor and understand key metrics of what makes the Internet function properly. Things like the Internet Storm Center, Internet Traffic Report, AWS Global status, Down Detector and Spamhaus metrics to name a few. Understand where the highest threats are and build protections into your business plan.

  2. Create honeypots and statistical feeds of your own local data. Try to understand not only where your Internet breakpoints are (eg: your main ISP goes down, what do you do?), but who attacks you on a regular basis, where they're from and why? Get a sense of who's radar you're on and develop a mitigation plan around that.

  3. Learn how to measure anything in CyberSecurity.

  4. Take advantage of all the various ways others measure and calculate risk, cherry pick the good ideas and apply them to your local environment.

  5. Take advantage of various machine learning technologies to help you make more consistent decisions about threats.

You need to be in business tomorrow in order for the system to function properly. Let others worry about risk two and three standard deviations from your business. Help them and coordinate when they need it. Remember though, it's the competitive nature of business that makes the system resilient.

Did you learn something new?