• T. Kearny Vertner, III

COVID-19 and Threat Modeling

Stop trying to eliminate or ignore risk; take necessary risks smartly.


2020 has been a wild ride so far! An entire continent caught on fire, every two weeks we dodge another world war, the market crashed, and of course... a global pandemic. It's easy to choose between one of two options: Shut down completely and disinfect everything or give up trying and let the cards fall where they may.


Imagine if you approached your home security the same way. If I can't live in Fort Knox, I might well leave the doors, windows, and WiFi open - right? Of course, nobody does that. We check the doors every night before bed, make sure the windows are shut before we leave, and keep that WiFi locked down tight. We acknowledge and accept risk based on a threat model that deters casual opportunists who walk by and check for unlocked doors, open windows, and vacancy. We can easily defeat the teenager who is just coming in real quick to swipe your Playstation. We implicitly understand that we will not foil the determined cat burglar.


Threat modeling is a simple thing we each do every day - often without realizing it. It helps us answer questions like, "How am I vulnerable?", "Who am I vulnerable to?", and "How can I mitigate these threats?" While I've discussed it before in terms of network security, it applies far more broadly. When you decided to park your car at night near a street light instead of the dark corner of the lot, you modeled your potential threats. You assessed the risks and sought to mitigate them. It wasn't necessarily fear that drove you one way or another, but smart internal calculations.


A good look for a doctor - maybe not a gamer

Pandemics are precisely the same, and various private and public entities are responding accordingly, even if they are rarely in sync. Like most security situations, everyone is evaluating their threat model. We should each be doing the same with our individual approach while respecting the approaches others may need to take. The approach taken by someone who works full time in an emergency room or lives with someone who is immunocompromised is very different from an introverted video gamer who occasionally goes out for groceries and take-out pizza. The former will want to wear N95 masks while they're out and practice substantial decontamination procedures to mitigate viral load, while the latter can get away with a mask made up of a cut-up t-shirt face mask and reasonable social distancing.


Where we mess up is when our threat model is inaccurate, leading to a mismatch. The ER nurse who only occasionally washes their scrubs and goes out regularly or the video gamer who is purchasing every spare N95 mask online (at inflated prices) while never leaving their home are both wrong. I have heard a lot of otherwise capable risk takers lose sight of their actual threat model and seek both too-conservative approaches - or far too liberal approaches. The answer for most is almost always a synthesis - somewhere in the middle. What's messing this up for so many? Data gaps.


In my recent read of Dr. Brené Brown's Dare to Lead, one of the ideas that struck home with me was her simple explanation of conspiracy theories: they are just theories where we take factual data, and our mind fills in the gaps with our fears and insecurities. If you have spent any time on social media recently, you have already seen countless bizarre theories on COVID-19 treatments, origins, epidemiology, and public health policies. The reality is that there is a tremendous amount that we don't know, and many experts are tirelessly working on finding the answers. Proper scientific rigor means that we need to take time, keep digging, and not be surprised when our hypothesis is wrong. Science rewards tenacity in seeking truth, not stubbornly holding on to a position. Unfortunately, because there is so little known and new science is pouring in every day, we are each left wrestling with a tremendous number of data gaps, challenging our ability to make useful threat models. Further complicating this are the natural human fears of being wrong, inconsistent, or showing weakness (through fear, ironically).


My counsel is simple: embrace the ambiguity. Accept that there is data you don't have and trust the advice of experts in the field. Be skeptical of an apparent expert who assuages your fears and tells you what you want to hear with a simple gapless message; that's probably a charlatan in a lab coat. Instead, bravely take in hard truths from people who smartly acknowledge their data gaps and be prepared for both them and you to be wrong. Focus your threat model on the data you have. Take masks, for example. It's widely acknowledged that any kind of mask is better than no mask at all. While it will not stop everything from entering (or exiting), it will stop some. Likewise, understand that some people will have symptoms and test negative, while others will be completely asymptomatic and test positive. More unknowns.


No matter what, the compounded efforts of everyone making small adjustments to their lifestyle by improving hygiene, maintaining a bit more personal space, wearing some form of mask, and limiting human contact and travel will all create some space for the experts to continue to work hard toward filling those data gaps and answering many of our questions. Continue to evaluate your personal threat model and take appropriate risks depending on your situation. Complete isolation and permanent quarantine are no more realistic than trying to stubbornly ignore the pandemic and believe that everything should be back to normal. If everything goes well, we can enjoy watching the contrarians claim we overreacted while the alarmists can claim that our overreaction worked... and rest easy knowing that the storm has passed regardless of who was right.



Drop Me a Line, Let Me Know What You Think

© 2020 by T. Kearny Vertner, III. These are my views and do not necessarily reflect the policy or position of the Department of Defense or its components. Proudly created with Wix.com