risk management

Somewhere between the reptilian wiring of our brain and the ambient noise of the modern world, humans lost the plot when it comes to asymmetric risk. I see it every day—in security assessments, in boardroom decisions, even in how we cross the street. We’re hardwired to flinch at shadows and ignore the giant neon “Jackpot” signs blinking in our periphery.

The Flawed Lens We Call Perception

Asymmetric risk, if you’re not familiar, is the art and agony of weighing a small chance of a big win against a large chance of a small loss—or vice versa. The kind of math that makes venture capitalists grin and compliance officers lose sleep.

But here’s the kicker: we are biologically terrible at this. Our brains were optimized for sabertooth cats and tribal gossip, not venture portfolios and probabilistic threat modeling. As Kahneman and Tversky so elegantly showed, we’re much more likely to run from a $100 loss than to chase a $150 gain. That’s not risk aversion. That’s evolutionary baggage.

Biases in the Wild

Two of my favorite culprits are the availability heuristic and the affect heuristic—basically, we decide based on what we remember and how we feel. That’s fine for picking a restaurant. But for cybersecurity investments or evaluating high-impact, low-probability threats? It’s a disaster.

Anxiety, in particular, makes us avoid even minimal risks, while optimism bias has us chasing dreams on gut feeling. The result? We miss the upsides and ignore the tripwires. We undervalue data and overvalue drama.

The Real World Cost

These aren’t just academic quibbles. Misjudging asymmetric risk leads to bad policies, missed opportunities, and overblown fears. It’s the infosec team spending 90% of their time on threats that look scary on paper but never materialize—while ignoring the quiet, creeping risks with catastrophic potential.

And young people, bless their eager hearts, are caught in a bind. They have the time horizon to tolerate risk, but not the experience to see the asymmetric goldmines hiding in plain sight. Education, yes. But more importantly, exposure—to calculated risks, not just textbook theory.

Bridging the Risk Gap

So what do we do? First, we stop pretending humans are rational. We aren’t. But we can be reflective. We can build systems—risk ladders, simulations, portfolios—that force us to confront our own biases and recalibrate.

Next, we tell better stories. The framing of a risk—description versus experience—can change everything. A one-in-a-thousand chance sounds terrifying until you say “one person in a stadium full of fans.” Clarity in communication is power.

Finally, we get comfortable with discomfort. Real asymmetric opportunity often lives in ambiguity. It’s not a coin toss—it’s a spectrum. And learning to navigate that space, armed with models, heuristics, and a pinch of skepticism, is the real edge.

Wrapping Up

Asymmetric risk is both a threat and a gift. It’s the reason bad startups make billionaires and why black swan events crash markets. We can’t rewire our lizard brains, but we can out-think them.

We owe it to ourselves—and our futures—to stop sucking at asymmetric risk.

Shoutouts:

This post came from an interesting discussion with two friends: Bart and Jason. Thanks, gentlemen, for the impetus and the shared banter!

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

Hey folks, buckle up because we’re diving into a wild tale that became the talk of the tech town this past weekend—the CrowdStrike and Microsoft outage! As always, I’m here to keep it light on the details but heavy on the takeaways. So grab your popcorn, and let’s roll!

ConcentrationRisk

First up, let’s chat about vendor concentration risk. In simple terms, it’s like putting all your eggs in one basket, or as I like to call it—having one favorite vendor at the carnival. Sure, they may have the greatest cotton candy, but when the vendor runs out, or their machine breaks down, you’re left sad and craving sugar! That’s what this outage highlighted for everyone relying on cloud services and cybersecurity—if that one vendor stumbles, everyone in line ends up feeling it![2][4]

Now, what happened with CrowdStrike and Microsoft? Well, it turns out that a software update on July 18 flung a wrench in the gears of countless IT systems across the globe. Reports came flooding in from big-name institutions—banks, airlines, and even emergency services were caught in the chaos! Over 8.5 million Windows devices were affected, reminding us just how interconnected our tech ecosystems truly are.[3][4]

So, what can we learn from this whole spectacle?

1. Diversify Your Vendors: Don’t just eat at one food stall! Utilize multiple vendors for essential services to reduce the fallout if one faces a hiccup.[1][2]

2. Communicate with Employees: Keep your team informed and calm during hiccups. This situation showed us how vital communication is during a tech mishap.

3. Prepare for Disruptions: Have contingency plans! Know what to do if your vendors experience turbulence.[1][2]

In closing, while tech might have some dramatic glitches now and then, they are vital reminders of our interconnected world. Let’s take this as a fun little lesson in preparedness and resilience! Until next time, keep your systems and vendors varied and safe!

Citations:

[1] https://www.venminder.com/blog/pros-and-cons-of-vendor-concentration-risk

[2] https://mitratech.com/resource-hub/blog/what-is-concentration-risk/

[3] https://edition.cnn.com/2024/07/22/us/microsoft-power-outage-crowdstrike-it/index.html

[4] https://www.usatoday.com/story/money/2024/07/20/how-microsoft-crowdstrike-update-large-impact/74477759007/

[5] https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/concentration-risk-0

AI tools were used as a research assistant for this content.