Risky business: Quantifying unknown unknowns

Throughout history unanticipated decisions by human beings has yielded unexpected consequences.

Despite the lessons of history, the same decisions and unexpected consequences unveil themselves on a daily basis via the news and social media as the unforeseen impacts of cybercrime. We have all heard and read the cybercrime narratives. The question is why, and, what should be done about it.


To provide a clear illustration of the problem and solution, we will use the tale of the Trojan Horse.  The Greeks waged a ten year war against the Trojans, but were unable to conquer the city of Troy. By exploiting human emotions and unknown unknowns, the Greeks were able to bypass the formidable defense of Troy by offering a deceptive gift.

The decision to accept the gift was based on a number of assumptions: the offering was a gift, that no risk existed to accept the gift, and that the Greeks had conceited defeat. Once the horse was inside the city walls, the men hiding inside the horse opened the gates for the entire Greek army.  The Greeks went on to destroy Troy and win the war. 

We have a classic case of social engineering to exploit human emotional unknowns for the purpose of gaining entry to a otherwise securely protected place. 

Fast forward to today, this type of event occurs every moment of every day. While the context has changed to email and web sites, defenses such as firewalls, gateways and endpoint security investments are outflanked by the decision of a human being to trust a construct which is delivered under false pretences. 

As we have repeatedly called out, according to research by IBM Security, 95% of all the cybercrime attacks bypass security technology by hacking human emotions and decision making. Point being, at any moment of any business day, any of your employees could make an inadvertent “Trojan Horse” decision.

What should you do about it?

Beauceron Security was founded on the underlying principle, ‘what get’s measured is what get's managed” and that given proactive experience and contextual exposure employees and business leaders can evolve from unknown unknowns to a quantifiable means to diminish the risk of cybercrime. 

Here is how it works:


Just as you would not ask an inexperienced accountant to mange your books, to date we typically ask employees to use devices, electronic applications and systems without any exposure to the ‘Trojan Horse' risk.  

Simply put if none of your employees have been trained on ‘how to spot social engineering and a Trojan horse’, is it a rational decision to assume no cyber crime risk exists?  Do the news and headlines support your assumption, or, can you proactively identify and educate the proverbial ‘accountants in your business who have not been educated on the basics of bookkeeping”?


Chances are high you have systems and processes in place to identify risks pertaining to health and safety, harassment, compliance and employee satisfaction.

The consistent intent being to proactively identify risks which may impact your organization in the form of behaviours and decisions which could have serious ramifications. While this is common if not intuitive, quite often we provide our employees with devices, passwords and access to systems without a regard to the unforeseen and inadvertent risk in doing so.

Is it prudent to ask your security team to be reactively address incidents of ransomware and other cybercriminal threats without knowing where the threats may come from?  Switching back to the opening context, if you identify a health and safety risk would you wait for it to happen, or, take proactive steps to reduce the risk of injury?   


To help improve the effectiveness of your employees to serve customers, operate technology or machinery, perform tasks and/or problem solve, it is likely you have exposed them to simulations as a means to build proficiency and skills.

In contrast, many organizations provide process, device, access and application simulation training but lack proactively exposing employees to social engineering and “Trojan horse” attempts by cybercriminals. Given the growing risks of cybercrime, most organizations lack ‘on the job training’ yet are shocked when an incident occurs.


We have all heard the adage ‘out of sight out of mind”.  Without a clear picture to cybercrime incidents, organizational, functional and employee risks, and how these risks are changing over time, executives and employees are in fact choosing to ignore the problem and therefore accept the risks. 

However, if like Beauceron Security, you believe “what gets measured is what gets managed’ we can help your entire organization reduce your exposure to the Trojan horse problem that is 95% of the root cause of cybercrime.

Contact us or one of our partners to learn more about how we can help you measure, manage and monitor unknown cyber risk and it’s unknown human causes.