Why COVID-19 is like CyberSecurity Risk

As a parent these days, we discuss many things with our school. Often the discussion is about the pros and cons of allowing students and teachers back to school after some time away from school and the danger of exposure to the rest of the pupils. I am struck by the risk/reward evaluations we are making and their similarities to CyberSecurity.

Both COVID-19 and CyberSecurity are situations where we must evaluate the risk with no possibility of eliminating that risk within a short timeframe. Until we get a COVID vaccine there is an ever present risk of infection, spread, and pandemic. The risk decisions we make with respect to COVID are very much like those CyberSecurity professionals make with respect to threats and vulnerabilities, particularly as neither are going away soon. It isn't a mistake that we talk about CyberSecurity vulnerabilities and malware in terms of virology: viruses, infections, and spreads to name a few, as well as mitigations.

Similarly to CyberSecurity, a disease like COVID needs to be identified, protected against with countermeasures, detected by testing, responded to by, hopefully, a vaccine, and recovered from. Until we have such a vaccine, perhaps the best we can do is to offer our learning from CyberRisk and encourage society to take preventative countermeasures against the virus as we do against threats and vulnerabilities (firewalls, encryption, etc), as well as detective measures such as tracking and tracing. As they balance the risk to society, it will always be a weighing, such as we do in CyberSecurity, of risk vs. reward to society, with very few clear and obviously correct answers, but to the best of our abilities, guided by science.