The reduce strategy—systemic vs specific

The essence of a reduce strategy is diversification. Diversifying a portfolio reduces risk; you no longer keep all your eggs in one basket. However, diversification only works with one type of risk—specific risk, not systemic risk.

What do we mean when we say systemic risk? In an insurance context, it’s often used as shorthand for the collapse of some underlying public infrastructure like the power grid. But the theoretical definition of systemic risk is “that risk which cannot be mitigated through diversification.”

In layman’s terms it means this: you may think you have put all your eggs in different baskets, but it turns out that they are all still in the same basket—just a much bigger one that you had not noticed before.

So systemic risk is intimately associated both with the concept of connectivity and the notion of "surprise," because often these connections only become apparent when disaster strikes. Uncorrelated elements display connections not previously observed. In the cyber domain, as elsewhere, the environment is always changing and so systemic risk can emerge over time.

An influential book called The Origins of Order by the biologist Stuart Kauffman in 1993 put forward a theoretical explanation of how life might have originally appeared on Earth. He was trying to explain how the "order" of life-forms could spontaneously arise from chaotic randomness. The mechanism he proposed was illustrated by an experiment in which there were 20 buttons and 20 threads. At the start of the experiment, one thread is randomly attached to two buttons, one at each end.

After five threads have been attached randomly in this way, picking up any thread would also probably pick up only two buttons. Adding more threads means, at some point, picking up one thread will pick up all the buttons, because everything has become connected.

Kauffman saw this emergence of a single structured entity as a metaphor for the evolution of life. But we can equally view it through a cyber lens as the mechanism behind the emergence of systemic risk. The key question is, when does this point happen?

The answer is when the ratio of buttons to threads is 0.5, in other words, very soon after 10 threads have been added to the 20 buttons. More importantly, it happens very suddenly, in a step function change. One moment you are picking up a few buttons, the next moment you are picking up the whole thing.

This sudden change—the catataxic shift — marks the point that you can no longer view the system as a set of independent elements.

You must view all the elements as a single entity. This is analogous to a phase change. In a gas, you can view the particles as independent elements. When the temperature changes and the substance becomes solid, you must view all particles as a single object.

Systemic risk emerges when the degree of connectivity reaches a certain critical point. This connectivity is always increasing, with the emergence of 5G networks and the internet of things (IoT) only the latest examples. The internet is an engine of connectivity, which makes systemic risk a bigger concern in the cyber realm than in other lines of insurance.

Note: There are only four possible risk mitigation strategies—avoid, accept, reduce, and transfer. Here we examine the reduce strategy; the others are covered elsewhere.