Introduction 

We see it play out every day as professionals.  A new IT security policy that shut down productivity for weeks. The travel prohibition that caused the company to lose a game changing deal. Recently, the health risk management decisions that cause massive economic and social impacts through  which consequences will be measured for several years to come. Reflexive security decisions and resource allocation often works fast and, in the short term, makes security and risk management program professionals look heroic and effective. Threat came, security delivered.

How often do we think about the consequences of our treatments? We spend so much time evaluating external and internal threats, we forget to evaluate the vulnerabilities and threats we create and the devastation they can create. Although it may take a little more time, we need to think about second order and third order effects (SOE and TOE), and practice strategic patience if we are to overcome this rampant failure in a risk management program.

Why We Overreact

As empathetic, problem solving, human beings, we are sensitive to threats that can create harm to our friend, family, colleagues, and even society. When threats are detected we are programmed to respond and protect. We do not like to see losses, death, pain, and destruction. We are also critical thinking by nature and often feel there is a solution for every challenge. It challenges our ego and credibility when we do not respond swiftly. As professionals tasked with recognizing threats quickly and paid to formulate solutions, there is pressure to alleviate the immediate situation. Failure to act with haste often leads to termination, political turmoil, or a massive loss of credibility. Sadly, there are fewer consequences for short term inaction than long term inaction.

This is due to short term memory and lack of metrics of the inaction. The risk is lower to overreact and create the perception of safety and security. This is why most politicians make risk management decisions based on public perception and political fallout, not actual critical thought or long-term analysis. We do the same things as practitioners, because it is far easier to kick the can down the road or transfer the risk/pain to someone else or another department. Lastly, it is more challenging to analyze the possible consequences of the future. Not everyone has the intellectual stamina or talent to evaluate complex security situations.

What are Second and Third Order Effects?

 The idea of second and third order effects come from many points in history, but the most recent influences are borrowed from military, financial, and business contexts. Without going into a complete background of effects-based operations (EBO), the military has sought to find ways to focus on battlefield effects to win wars as opposed to total annihilation of the enemy.

Market analysts and complexity theorists have recently focused on second order (and beyond) effects and consequences to help with investment outcomes and a host of other problem sets. Despite some detractors that lament the complexity and difficulty, looking at second and third order effects is becoming well established as a goal chasing construct. In many ways, effects-based thinking borrows from Sun Tzu and his “Art of War,” that argues for deep understanding of opponents, outcomes, and multiple approaches. 

In simple terms, second order effects (and subsequent effects) is the concept of considering the future and what chain of reaction(s) will occur given an event stimulus. How will one decision, event, or action change the situation and exact a response.  SOE requires vision, knowledge of context, and an appreciation for data and history. SOE has been used by military commanders for centuries to help tease out the likely courses of action of enemies following enemy and allied actions. SOE is similar in games of chess, and in legal planning.

Without thinking about the reaction and follow up of one’s actions, devastating outcomes have occurred or might have occurred throughout history. In many ways, it seems like common sense to think of the consequences of actions in the future, and to try and analyze what will happen as a result of treatments and solutions. However, in many cases, professionals focus on what is in front of them and apply all their mental resources there. Budgets, security programs, risk mitigations, and threat reactions are all decided in a vacuum and one dimensionally.

The best strategists and successful thinkers reflect and can predict what events and impacts will transpire BEFORE making important decisions. Regardless of the time it takes, considering SOE and TOE is almost always worth it.

What is Strategic Patience?

It is easy to placate immediate needs and to respond swiftly with the simple and obvious treatments. The more obvious, the less likely the decision maker will be questioned, and if less than optimal outcomes are achieved, the decision maker can be at least partially forgiven. Even with slowly developing situations and threats that have many variables, it is often looked at favorably to try something. To act vigorously and confidently with robust and visible measures that seek to make short term gains or mitigate the immediate risks comprehensively. I have coined the term “strategic patience” to symbolize the ongoing process professionals should take to fully understand the threat, it’s consequences, and further, to analyze all treatments, effects, and mitigation completely. Chief and central to this analysis should be the resulting impacts of any possible decisions made. There are many kinds of effects and impacts possible from actions and risk treatments, some can be foreseen while others are unknown unknowns. Allowing for the collection of relevant intelligence and second order scenario analysis throughout strategy, operations, and tactics are the hallmarks of strategic patience. Strategic patience does not have to be a laborious process. In fact, it should be incorporated into multiple nodes of security programs.

Strategic Patience and Effects-based thinking

  • Make an attempt to collect as much intelligence as possible about the situation.
  • Look to scenarios and probable outcomes and reactions.
  • Only act when second and third order effects are considered or there is insufficient time to analyze.
  • Link all security and risk management activities to desired effects and goals.
  • Incorporate this analysis at every stage of program development and execution.
  • Measure the efficacy and ROI of multinomial order analysis to optimize integration

Why we need to think about SOE and TOE in security and risk program management.

If it is still unclear as to why we need to include downstream effects into planning, operations, and decision-making, think about the number of times our peers have made a bad situation worse. Think about the complexity of challenges we face as professionals and the feeling in our gut when we don’t feel completely confident with our decisions or worry about longer term impacts. Think about your credibility and long-term standing as a stalwart for your company, client, and industry.

Treating a security program as a linear and siloed system with minimalist threat analysis and consequence management is the quickest way to become famous for the wrong reasons. When we put together a strategy and security program, it must be informed and constantly calibrated given new information. When we experience new or modified threats, we must weigh options and context across time, assets, and space. As we form and improve risk management processes, we must consider the consequences of the processes and how they will bring the program and company to the effects and goals it desires. Without multi-dimensional and persistent analysis and strategic patience, we are living in a dangerous world of assumptions or rules-based security programs.