Peter Sandman introduced the following risk equation in the 1980’s:
Risk = Hazard + Outrage
An increasingly common scenario in the OT world the last two years, particularly with small scale water incidents, is Hazard is Low and Outrage is High. In these cases the task is outrage management. Reassuring excessively upset people about small risks. Calm down.
When a cyber incident takes out part of a small water system AND has no chance of delivering unsafe water or causing more than a short outage to a small number of people. The hazard is low. As we’ve seen, the outrage is high.
The people who should be reducing the outrage, calming the affected customers, general public, and lawmakers … all too often support or even feed the outrage. You see Oldsmar, Aliquippa, and Muleshoe highlighted in presentations and papers from our authoritative sources.
What we need now is Outrage Management performed by the CISA and other government leaders around the world as well as influencers / the OT security people who have a platform and are listened to. It would be great if OT security vendors and the press would participate as well; this would often be contrary to their interest.
Why does it matter?
Because we need to focus our attention on Precaution Advocacy (when Hazard is High and Outrage is Low, i.e. actual: ransomware in hospitals, many potential scenarios) and Crisis Communication (when Hazard is High and Outrage is High, i.e. Colonial Pipeline, Crowdstrike).
Outrage placed on low hazard events is a waste of energy and attention.