Risk vs. Uncertainty (Part II): The Secure Print & Scan Edition

I remember once talking to a friend in HR who lamented the fact that her office didn’t have a way to securely scan or print documents. Because she worked in a department with highly sensitive data, I thought that it was strange it wasn’t made available to her.

I recommended that she put in a request to IT to see what they could do, to see if (a) the ability to securely print and scan was available, and if not, be made available; and (b) if it was available, instructions to how to use that function should be made known to the company’s employees.

The response that my friend got from IT was hugely disappointing (to us, at least): that because there wasn’t enough demand for such a service, IT didn’t feel there was a need to invest in this area.

Now, I’ve worked closely with and within IT, and I fully understand from an IT perspective that resources are highly limited (both in terms of money and time), and issues affecting only a small number of users typically shouldn’t warrant any IT investment. And to them, this was an issue that affected only a small number of users — how many people were going to be scanning or printing highly sensitive documents anyway?

But what this IT person didn’t understand was that though it was only a few people who were printing or scanning sensitive documents, these sensitive documents had the potential to impact a large number of people. HR doesn’t work for itself; it’s a supporting function dealing with (potentially) the most sensitive aspects of every employee in the company.

I had half the mind to ask my friend to tell that IT guy that the next document she prints would be his employment details. Perhaps then he would think it a worthwhile investment.

This brings me to another point about risk and uncertainty. Remember in my previous post that I mentioned that the main difference between risk and uncertainty was that the former had known odds while the latter had unknown odds?

The chance of someone seeing a document he or she shouldn’t be given privy to can be calculated. It’s a risk, and the odds are by and large calculable – it’d be something along a function of the number of people using the printer, their usage frequency and periods of printing (peak vs. off-peak periods), the number of documents that are printed (sensitive vs. non-sensitive), and the length of time sensitive documents are collected or deleted.

As the IT person had assumed, the risk of an unauthorised person viewing a sensitive document was probably quite low. Printing and scanning of sensitive documents wasn’t done particularly often, and by and large they’d be collected or deleted before they were viewed by unauthorised persons. But within this scenario lay an uncertainty: how sensitive are these documents and what’d happen if they were viewed by someone with malicious intent?

The IT person couldn’t possibly know how bad an outcome it could be if such an incident did occur. Preventing just one employee from seeing the employment details of a competing employee and finding something he or she deemed “unreasonable” or “unfair” would probably justify the costs of a printing and scanning security implementation. Imagine the costs involved in damage control.

And if you think that’s unlikely or that small employee dispute resolutions are “low cost”, how about preventing the leakage of information about an impending M&A?

In almost all cases, if a relatively low, limited cost can prevent a potentially large (and you don’t know how large), negative outcome, pay it. Make thinking of situations like these with the risk vs. uncertainty mindset and you’ll be surprised the different conclusions you may come up with.

Risk vs. Uncertainty (Part I)

I can’t believe I didn’t write about it before today: the difference between uncertainty and risk.

I’d originally thought that uncertainty and risk were one and the same. If you’re uncertain about something, about taking some action, and you had to decide whether or not to take that action, it was a risky action to take.

But it’s not like that.

Risk involves known odds. Known probabilities. Known possible outcomes. Uncertainty does not.

Let’s say that you have to throw a die that determines whether or not you live or die based on its outcome. If it’s four or greater you live, if it’s three or less you die. It’s a risk. But it’s not uncertain, because the odds and outcomes are known.

If you were not given the conditions under which you’d live or die, so you don’t know what range of values determines what fate, things get pretty uncertain. You don’t know if throwing any number between 1 through 6 will mean you live or die. Or whether or not living or dying was one of the outcomes you could expect.

To use another analogy, it’s like playing Russian Roulette without knowing how many bullets there are in the chambers and not knowing if the gun is real in the first place.

Under conditions of risk you’re making an informed decision.

Under conditions of uncertainty, however, there is no informed decision except that of the overhanging uncertainty. “I know the outcome and odds are uncertain, but I’m going ahead anyway.”

Masks: A poem by Shel Silverstein

I came across a beautiful poem by Shel Silverstein called “Masks”, that reminded me of how we can sometimes go through our whole lives pretending to be someone else, hoping to find like-minded souls but afraid to reveal our true selves.

Masks, by Shel Silverstein

 

She had blue skin,
And so did he.
He kept it hid
And so did she.
They searched for blue
Their whole life through.
Then passed right by–
And never knew.

I find the poem beautiful because of how it reflects a painful truth of my life, that so much of what I say and do is part of a show put up to others because that’s what I think should be, not what it really is.

I’m blue.

Are you?

The NS Man Tribe

For the next couple of weeks (and for the last few days) I’ll be doing my yearly national service. It’s not something I particularly look forward to, but after I’m doing with it I’m often quite thankful for the opportunity to have been able to do it. It’s something like a hard run in the morning — you don’t really want to do it, and you’re pretty much miserable all the way through until the end, but in hindsight when all is done, you realise just how good it makes you feel.

For the last couple of days I’ve been pretty miserable in camp. Being away from my family and having had to put my career moves on hold has been hard (especially since I’d only recently changed jobs).

But I’ve also been surprisingly happy, because it’s given me an opportunity (albeit a forced one) to talk to guys my age, in a similar life stage. The very unique relationships we NS Man have, being die-for-one-another close and yet at the same time didn’t-know-you-got-married close, is something you won’t get anywhere else.

I’m part of the NS Man tribe. And, strangely enough, I like it.