Further to my earlier piece on Cyber Tail Risk, some interesting discussions ensued digging into the actual nature of Cyber Tail Risk. As I have inferred earlier, in finance we learned the hard way that risk does not follow a neat bell curve. Before 2008, models suggested losses would cluster comfortably around the average. They did not. The crisis revealed what statisticians call kurtosis, fat tails, where rare events produce disproportionately large consequences.
Cyber security operates in the same statistical reality.
On most days, cyber incidents are routine, blocked phishing emails, patched vulnerabilities, contained malware, false alerts from fat fingered users in the Monday / Friday disconnect window. Metrics look fundamentally stable. Dashboards trend predictably, or at least the outliers we assume are accounted for. The distribution appears manageable and all feels good … and then the curve breaks.
The breach at Equifax was not a marginal deviation from the mean. The ransomware attack on Colonial Pipeline was not a standard IT disruption. The supply-chain compromise at SolarWinds demonstrated how a single point of compromise can cascade across thousands of organisations. These were tail events, statistically infrequent, strategically seismic.
In a fat-tailed system, averages are misleading and misunderstood. Historical loss data understates exposure because extreme outcomes dominate total impact. 95% of incidents may be minor and project a perception of reality, the remaining 5% determine the true reality of your organisations resilience.
Cyber’s structure naturally produces this behaviour. Digital ecosystems are highly interconnected, cloud platforms, identity federations, shared libraries such as Log4j and a veritable bird’s nest of Open Source Libraries that few pay much attention to, assuming in blind faith their integrity. Attackers operate with scale and automation; defenders operate with complexity and constraint, the former unbound by regulation and the latter by compliance fricton. The marginal cost of attack is low, while the cost of defence is persistent. When vulnerabilities emerge, exploitation propagates at machine speed. Impact does not rise linearly; it accelerates exponentially.
The strategic error is to optimise for the mean. Efficiency programmes, headcount reductions, and process refinement improve steady-state performance. They do not necessarily protect against systemic shock. In kurtotic environments, resilience is shaped less by incident frequency and more by blast-radius control and containment.
That means segmentation over flat networks. Redundancy over single points of failure. Clear authority over consensus drift. Manual override capability over automated dependence. The objective is not eliminating every event; it is surviving the one that matters.
For boards, the reframing is simple but profound. The question is not what is our expected annual cyber loss? It is, can we withstand our plausible worst case?
Cyber security is not a cost centre optimising variance around an average, that internet trend in organisations is tantamount to wilful blindness. It is a resilience function designed for tail survival. The organisations that understand this statistical truth will build differently and endure when the curve bends, as for the rest of you … the facts abound, just ask Jaguar Landover.
Posted on March 3, 2026
0