Of Black Swans, Platypii and Bunyips

C S Wright, Tanveer Zia

Research output: Book chapter/Published conference paperConference paperpeer-review

38 Downloads (Pure)


To act rationally requires that we forecast the future with inadequate information using the past as a guide for all its flaws. We make decisions in the absence of knowledge. We state that black swans and bunyips do not exist. From time to time, we find that we have decided in error and black swans are found. However, for every black swan, there is a unicorn, dragon and Bunyip that does not exist and of which we remain confident will never be found.Zero-day security vulnerabilities remain the fear of many security professionals. We present empirical evidence as to the rarity of these events as a source of system compromise. Instead, we demonstrate how common misconfigurations and old attacks are far more of a concern to the security professional. We show that predicting zero-day attacks is possible and that defending systems against common vulnerabilities significantly lowers the risk from the unexpected and 'unpredictable'.The inherent psychological biases that have developed in the information security profession have centered on the outlier effect. This has led to a dangerously skewed perspective of reality and an increase in the economic costs of security. This paper demonstrates that producing resilient systems for known events also minimizes the risk from black swans without the wasted effort of chasing myths.
Original languageEnglish
Title of host publicationCACS 2011
Subtitle of host publicationNavigating a steady course in uncharted waters - Protect. Govern. Empower
Place of PublicationBrisbane, QLD
PublisherConference IT
Number of pages17
Publication statusPublished - 2011
EventISACA Oceania Computer Audit Control Security Conference - Brisbane, Australia
Duration: 18 Sep 201123 Sep 2011


ConferenceISACA Oceania Computer Audit Control Security Conference


Dive into the research topics of 'Of Black Swans, Platypii and Bunyips'. Together they form a unique fingerprint.

Cite this