Monday, September 27, 2010

BP spill a Black Swan?

It's really old news, in fact the well is finally closed at this time, but it's interesting to follow the discussion about the BP spill and if it could be considered a "Black Swan".Alex is right to complain about the abuse of the concept. But I like to point to another aspect. People will usually relate the Black Swan concept to the probability of the event ocurring only. A very important aspect of those events is the impact. In fact, the higher than expected impact. As Alex, I also believe that BP was aware of the chances of a spill ocurring at Deepwater. But did they expect the results of the spill? The billions of losses? What I think makes the spill a good example of Black Swan is the fact that the consequences were far higher than the expected. And this aspect generates even more interesting considerations for our infosec discussions.Most of the time spend in risk assessments is over the likelihood of an incident. I don't know why the Impact aspect does not get the same amount of thought...maybe a careful consideration of the outcome of an incident will be seen as FUD? "Are you saying that an accident in a single platform can cause billions of losses for the company? C'mon! That's FUD!!"The Black Swan card is often seen as an excuse when the likelihood of an event was underestimated. Even if sometimes that's true, we should also see it as an indication of lack of resilience, a single incident causing catastrophic results. As someone said one of these days on Twitter, the "failed miserably" expression is too common now. So, instead of trying to reduce the likelihood of those failures, what about working to make then less miserable?