Known Unknowns: The Inevitability of Cyber Attacks

As described by Former U.S. Secretary of Defense, Donald Rumsfeld in his 2011 book, Known and Unknown, “there are many things of which we are completely unaware—in fact, there are things of which we are so unaware, we don’t even know we are unaware of them.  Throughout history the world has faced numerous catastrophic events that were not foreseen but in hindsight were discoverable including the devastating effects of Pearl Harbor, and the September 11 terrorist attacks. More recently, the potential for catastrophic loss has been magnified in the 2020 Solar Winds and 2021 Colonial Pipeline cyber-attacks. We may not know when or how these events will occur or how much damage or destruction will occur, but we do know that these events are possible. The literature differentiates between events that occur totally by surprise, and outcomes or events that actors have identified as possibly existing but do not know whether they will take place or not. The aim of this paper is to provide insight, based on an empirical review of selected attacks both within and outside the cyber space literature to uncover the underlying risk, uncertainty, and complexity that may have been known but not seriously considered by those who had the knowledge and capability to investigate the warning signs. Based on the case study analysis, this paper will present the reasons for inaction and how we can learn from these experiences. The following two theories – institutionalization and rationalization have been found to provide some reasons for the occurrence of behaviors which increase the possibility of unobserved risks. In this paper we explore these theories through case study analysis and  propose a framework consisting of four concepts for increasing awareness of these situations.