Tech Risk Assessment: A Three Dimensional Threat Matrix
A more complete assessment of risk and benefit occurs in three dimensions; the human factor (internet), AI and time. We described the human factor or internet above. AI-associated risk follows a similar pattern to that of the human factor, but the nature and magnitude of risk is anything but human.
In short, as AI use moves from on device to collaborative to unknown and uncontrollable human interaction, the greater the risk. For example, on the device, the risk may be as minimal as bias, where the facial recognition may not work as well for a dark skinned user as for a lighter skinned user (this has been reported), or may have trouble with culture-specific queries/accents. In a cloud service, AI again might fail for cultural or geopolitical reference points (bias), or they may have been disallowed by a nation state (censure). On social media, AI-enabled bots may wreak havoc on social interaction, with geopolitical and sociopolitical consequence en masse. Indeed, predictions are that highly sophisticated bots have been developed and will be deployed for the upcoming US national elections in 2024.
AI is not simply a product, but a force multiplier; operating at faster than human speed, processing in non-human terms, and unceasingly analyzing data at non-human scale. So transformational is this force, that Oren Etzioni, CEO of The Allen Institute for Artificial Intelligence has created a Hippocratic Oath for AI developers to pledge to do no harm. The growth and capability of AI is vastly outpacing human growth and adaptation, and is increasingly reshaping the latter in ways that no human can. It outperforms and has replaced humans in certain tasks. When in service to human need, it makes humans more efficient. When deployed against humans, it can exploit human behavior to potentially decimate whole societies in an instant, thus affecting risk in a way no mere human can. AI requires its own axis.
The third axis, time, is a dimension in which risk is altered. This risk may be absolute such that, if that tech is discontinued, so too is its associated risk. In most cases risk is relative, in that a specific risk, relative to competing risks, can increase or decrease over time. For example, the absolute risk of a product, like AI-enabled facial feature alteration, as on Instagram, may be high; but the risk of your face being captured online and used in a deep fake for extortion or other criminal activity might soon become an even greater risk, deprecating the relative risk of the facial feature altering program to both that user and possibly to others.
Time also converts risks to hazards. Think of a six-sided die. The ‘risk’ of throwing a die and getting a 3 is always one in six. However, with each throw over time, for each throw not resulting in a 3, the ‘hazard’ of getting a 3 increases with each successive throw. Hazard is why we have healthcare and homeowners’ insurance. The longer a defined risk, such as a software vulnerability or missing product safety feature goes unmitigated, the hazard of an adverse event increases with time.
Time not only alters risk, it can also serve as a buffer to risk, as we will discuss below. Time is an essential dimension in risk assessment.
In short, the less control a user has over the security measures to protect their device and data, and the greater the exposure to other actors of increasingly unknown intent and capability, the lower the relative benefit to risk. For any risk, the key question for the user remains; is the risk sustainable or survivable? If not, then no amount of benefit is justifiable; at least, not rationally.
Prior experience with comparable products and services can be a reasonable guide as to the risk of any new product. For novel products or services, the risk can be more speculative and harder to categorize or quantify. Whatever the level of controversy surrounding it, the user should weigh, based upon the best available evidence, whether or not the likely risks, benefits aside, are acceptable.
The Consumer Base: Monolith vs Pleomorph and Risk Mitigation
Tech users have a wide range of interests and needs. While all users are in one or another market, not all users are in every market. Perspective dictates, when evaluating a technology, one needs to decide whether or not they are in that specific market. Does this product/service address a present unmet need for that user? Where there is threat controversy or ambiguity, with few known facts, the user can choose to wait until more is known about the product. This is a situation where one can allow those better suited to be early adopters to test the product and publish their findings, particularly known sources that do this professionally.
Finding Facts in All the Right Places
Public fora, including live podcasts, and community comment at sites likes TMO are venues for gathering evidence-based information and for sharing ideas and opinions. One of my favorite sources is Dave Hamilton’s and John F. Braun’s MGG (or what I like to call, John and Dave’s Excellent Adventure). Importantly, they, like any good knowledgeable and trustworthy source, do two things. First, they acknowledge what they do not know, and solicit input from others, including their listeners. Second, they point to other grounded information sources, expanding the user’s lines of investigation and knowledge base.
The key for the user is to ensure that a source is providing facts, an indicator of which is that, independent of source or value assessment, these sources agree upon a common and consistent set of facts, which in turn align with those of the original source (in this case, the corporation) irrespective of the assessment and recommendations of these sources.
Our expectations of tech corporations need to be realistic, grounded in observed corporate behavior. If we expect them make the same decisions that we would, we will be disappointed. Expect them to be solutions-driven, with an eye towards competitiveness and growth.
When evaluating product-related risk/benefit, go to objectively reliable sources. These will base their recommendations on evidence, will admit what they do and do not know, will refer you to additional authoritative sources, and empower you to formulate your own informed opinion.
In the face of controversy, time is your friend. Use it as a buffer between you and risk/hazard. Let qualified early adopters and evaluators assess and share their findings. Allow time for consensus. If opinions remain mixed, then decide if this is something that, on balance will be of net benefit to you. If not, then there is no need to adopt it. Save your money for something enjoyable.