What can cyber risk management learn from quantum theory? Are there similarities or shared challenges that both studies face? After all, they are largely esoteric, they seek to quantify the seemingly impossible, and both are faced with the sad fact that those that espouse their respective practices are often maligned as believing in ‘hooey.’
What I would like to present are what I believe are compelling similarities between determining the state of an organization’s cybersecurity posture and the concepts behind quantum theory; trust me, the similarities are fascinating!
Don’t worry, we will not be diving into the maths behind quantum mechanics; I am neither fluent nor intelligent enough to do so.
Up until the 1900’s, scientists believed that our physical world could be understood through the deterministic system: the relationship between the known state of one object and its effect to the state of another object, which can be overly simplified to cause and effect.
However, around the 1920’s, scientists began to discover phenomena that existed in a non-deterministic state: an objects state (reaction) could not be accurately predicted based solely on the intervening forces upon it. With that realization, the study of quantum physics was born.
Authors Note: For the mathletes among us, you may be thinking that quantifying cyber risk can best be calculated using differential equations, thus negating any relevance to quantum mechanics, to which I say, you are correct! But only when linear equations are used to approximate variables for the inherently non-linear world that cyber risk exists within. Yes, theoretically, non-linear equations could be used to quantify an organization’s overall cyber risk. However, the purpose of this article is that I believe that the concepts of quantum mechanics are well suited to help explain and understand the relationship between an organization’s cyber risk posture and its relevant environment.
A gross oversimplification of quantum mechanics
It is incredibly tempting for me to dive into the nerdgasm that is my tenuous grasp of quantum mechanics. Seriously, the idea that the concepts of superpositions, eigenstates, conjugate variables, and Heisenberg’s Uncertainty Principle could potentially apply to cyber risk management has me wanting to observe my own system state; giggity!
Ok. Now that I’ve got that out of my system, for the purposes of this discussion, there are just a few basic concepts we need to understand about quantum mechanics:
- In classical physics (macroscopic), the observable state of an object’s many variables (speed, direction, temperature, etc.) can be quantified by determining the interceding forces (gravity, heat, wind resistance, etc.) upon that object.
- In quantum physics, the more certainty we have on any one of an object’s properties is inversely proportional to our ability to quantify any of its other properties (the uncertainty principle).
- A quantum state is defined as a system that is in ‘coherence’ with itself.
- In quantum mechanics, a system can exist in a ‘superposition’: being in two or more states simultaneously.
- Decoherence explains the environmental effects that alter or decay a systems coherence.
- In certain circumstances, attempting to measure an objects state is enough to alter its observable state (Observer effect); an object can only be observed in a single, randomly determined state.
The Quantum Equivalence for Cyber Risk Management
As an exercise, let’s now make the same list but using cyber risk management terms:
- In classical enterprise risk management (ERM), the observable state of the organization’s financial risk can largely be quantified and reported.
- In cybersecurity, the more organizational resources assigned to identify and measure (qualify/quantify) threats and risks is inversely proportional to the organization’s remaining resources for remediation.
- An organization state is in coherence when it is determined to be ‘within appetite’.
- In risk management, an organization can exist in a ‘superposition’: being in two or more states simultaneously.
- Risk management explains the environmental effects that alter or decay an organization’s state to ‘outside of appetite’.
- In certain circumstances, attempting to measure an organization’s state is enough to alter its observable state; the method, tools, skill, and scope of the observation determine which criteria, thus which state, is observed.
Copenhagen And The Cat
From 1925-1927 The Copenhagen Interpretation was developed and largely agreed upon as the prevailing principles of quantum mechanics. Key among them was that a quantum system remained in this superposition (being in one or more coherent states) until it interacted with, or was observed by, the external world (Observation effect). When performed, the superposition would collapse into one of its possible definite states and thus be measurable (decoherence).
In risk management, this would be akin to stating that an organization in a superposition of being simultaneously within and outside of appetite, or simultaneously secure and insecure, which, I think, we can all agree is a pragmatically accurate statement. However, the Copenhagen Interpretation goes further. It says that the only way to determine the actual state (secure or insecure) is to either interact with it or observe it. Doing so will trigger decoherence thus collapsing the system from superposition (multiple states) to a single state. So, if true, this would mean that the only way to objectively know the state of an organization is through interaction with, say, an incident or observed by an auditor, vulnerability, penetration, or risk assessment.
On its face, the Copenhagen Interpretation actually seems like a rational approach. After all, the only way to know the true state of something is to apply tension to it, right?
Austrian physicist Erwin Schrödinger disagreed. In 1935 he put forward the Schrödinger’s cat thought experiment – this was a thought experiment. No harm came to Erwin’s cat, Milton. The hypothesis he asserted was that, contrary to the Copenhagen Interpretation, neither interaction nor observation is required for the decoherence of a system into a single state thus making it quantifiable. Instead, he opined that decoherence does not generate state collapse, it only provides an explanation for the observation of state collapse.
The Cat in the Box
Schrödinger’s cat establishes that free of interaction or observation, a system can be in a mixture of states (the cat can be simultaneously alive and dead) and that interaction and observation only serve to determine the cats’ state for the observer.
To prove this, Schrödinger performed a simple thought experiment. He stated that if one were to place a living cat into a box containing a Geiger counter, a single tiny radioactive substance encased in a vial, a hammer, and a flask of hydrocyanic acid and the box was left to sit for one hour free of interaction and observation that, upon opening the box, it would be equally plausible to find a living cat as it would be to find that the radioactive substance, through atomic decay, had eaten through its containing vial, triggering the Geiger counter, thus releasing the hammer to smashing the flask of acid and killing the cat. YUCK!
Interestingly, just like Schrodinger’s cat, cybersecurity does not adhere to the Copenhagen Interpretation. Like the cat, the state of an organization’s cybersecurity posture has long been determined before any interaction by way of an incident or observation through an audit or assessment. Simply put: interacted with or observing something has no relationship to its state, only our understanding of it.
Bringing Cyber Into Organizational Coherence
Let’s recap: Heisenberg’s Uncertainty Principle says that the more we quantify a single metric proportionally decreases our ability to quantify other associated metrics; our organization is simultaneously existing in multiple states of cyber-coherence; there is a need for organizations to balance these simultaneous states against unknown and ever-changing environmental influences; and there is the realization that simply observing these delicately balanced states could bring about not the cause of decoherence, but merely the possible discovery that, despite all those balancing efforts, our organizational state is in decoherence – or maybe it isn’t, and the perverbial cat is still alive. Seriously, it is no wonder that there are parallels between quantum mechanics, risk management, existentialism, and abject nihilism.
Regardless of opinion on the similarities cyber risk management has with quantum mechanics, it is clear that they share in the challenges of how best to understand, manage, quantify, and balance their respective systems against the environmental forces at work against them.
In 1950, Einstein said it best in his letter to Schrödinger discussing his thought experiment:
“You are the only contemporary physicist, besides Laue, who sees that one cannot get around the assumption of reality, if only one is honest. Most of them simply do not see what sort of risky game they are playing with reality—reality as something independent of what is experimentally established.”
In truth, I haven’t the slightest idea if we can apply anything from quantum theory to cyber risk management. But, for me, I can stay that I refuse to accept the risky game my clients play when their only sources of data are those gained by experiments resulting in incomplete, inconsequential, or still worse, misleading findings.
Independent of the field of study, the desire remains the same: enable our system(s) to maintain coherence even when they are exposed to environmental forces. Unfortunately, coherence is not enough. We must also find a way to maintain coherence while achieving organizational goals. Because if we do not, all we really did was learn to make fancy squiggly bits on paper and wax poetic about pouring acid on some dudes cat; a sad reality as applicable to quantum mechanics as it is to cyber risk management.
This is a topic I’ll be diving further into in subsequent posts. Personally, I think the observations from quantum mechanics are largely applicable to cyber risk. I hold no illusion that the maths will cross over. However, I am hopeful that if we can understand the quantum challenges we may be able to apply those lessons to better meet our own unique problem set.
Much more to come on this topic!
About the Author
Jason Tugman is a Cyber Risk & Strategy consultant for Critical Infrastructure with a focus on Finance and Energy. Jason is based out of Washington, D.C.