A Risk-Oriented Hierarchy of Intervention in the Deployment and Customization of Large Language Models

Posted on by
Reply

A practical and pragmatic discussion of the levels of risk and complexity in the customization of large language models. Many organizations are using LLM technology to build customized chatbots, RAG tools and content generators. However, many organizations do not have a full understanding of the options and levels of risk and development complexity that come from LLM customization and deployment.

In the contemporary landscape of artificial intelligence deployment, a structural shift is occurring: base models are becoming increasingly capable out of the box. Instruction-following performance, contextual reasoning, retrieval integration, and domain adaptability have improved to such a degree that many historical justifications for invasive model modification are steadily eroding. This evolution necessitates a corresponding philosophical and governance framework—one grounded in the principle that greater customization introduces greater uncertainty, greater liability, and a proportionally greater need for validation and risk controls.

At its core, the responsible deployment of large language models should be guided by a hierarchy of invasiveness. Each successive layer of intervention introduces deeper system coupling, increased behavioral unpredictability, and escalating regulatory, operational, and reputational risk. Accordingly, risk management should not begin at the level of model alteration, but rather at the least invasive layers of interaction and configuration.

Continue reading

The Narrative About AI Triggered Job Loss is Speculative and Irresponsible

Posted on by
Reply

We are seeing an increased public narrative about the potential for job losses from AI deployment. These claims receive a great deal of media attention and are rewarded in the social media landscape for being as pessimistic as possible. Mass job loss remains highly speculative and many claims skew to the highly implausible. But this is causing mass harm.

The increasingly popular narrative of inevitable, catastrophic, long-term job loss due to artificial intelligence is not grounded in robust empirical evidence. It is overwhelmingly speculative, framed in worst-case abstractions, and presented to the public with a level of certainty that far exceeds what the data justifies. That alone would be intellectually questionable. But the deeper issue is ethical: the psychological and social harm caused by repeatedly presenting extreme scenarios as near-certainties.

There is a very real human cost to this discourse. People are not reading these forecasts as academic hypotheticals. They are internalizing them as personal futures. Students reconsider career paths. Mid-career professionals experience anxiety and loss of motivation. Workers in already uncertain labor markets feel prematurely obsolete. This is not a trivial side effect. It is a measurable psychological burden placed on millions of people based on projections that remain deeply uncertain and, in many cases, methodologically weak.

Serious economic forecasting requires discipline, historical grounding, and humility about technological diffusion. What we are instead seeing in many public conversations is a pattern of extrapolation from capability demos directly to labor market collapse, skipping entirely over the realities of workflow integration, governance constraints, liability frameworks, organizational inertia, and economic adaptation. That is not analysis. That is narrative acceleration.

Continue reading

Update on Drone Hysteria With Video

Posted on by
Reply

This truly appears to be primarily and perhaps completely caused by mass hysteria and not any actual drone swarm of any kind. There remains the possibility that there were unauthorized drones in sensitive areas, but that does not appear to account for most of the reports.

After spending hours looking for any videos of the supposed drones in New Jersey and elsewhere, I was surprised to find that the overwhelming majority of the sightings seem to be clear, unambiguous and completely doubtless examples of civil and commercial aircraft.


This reminds me very much of the battle of Los Angeles, which was not actually a real battle but rather just an example of similar mass hysteria. We are seeing similar hallmarks to previous flying phenomena hysteria, including a mushrooming number of reports and increasing drama as more and more people are convinced that drones have crashed, are attacking or something else.

Could Drones Over New Jersey Be a Case of Mass Hysteria?

Posted on by
Reply

It’s far from certain, and there are a few cases that appear to be legitimate drone sightings, but a large number also appear to be civilian aircraft or other mistakes. At least some, thought perhaps not all reports are a case of panic.

If you have not been living under a rock, you are probably aware that people around New Jersey, and now elsewhere are up in arms over reported sightings of drones. Drone sightings are not at all unusual in the year 2024, but these include reports of drones over sensitive military facilities and critical infrastructure, such as reservoirs and power plants. These reports started coming in around November 13th and have gotten more and more extreme as time has gone on.

At present, a number of elected officials, such as mayors, the governor and police chiefs have voices concern. A great deal of drama is now under way, while officials are demanding answers from the FBI, military or others. Many are calling for the drones to be shot down.

The problem is we still don’t actually have any answers as to what is happening and the reports are fragmented and inconsistent. With time, confusion has only increased and primary evidence of documentation has been lacking.

Now similar reports are being made across the Northeast. At first it was claimed that the drones were “spreading to New York.” Now they claim to have been seen across the Northeast and the US in general.

Here is what seems to have been reported:

  • It has been reported that the drones are only out at night, reportedly appearing at dusk and not being seen during the day.
  • Many of the drones have lights on them, in some cases the lights are strobes or other standard hazard and navigational lights.
  • There have been reports of bright lights and drones that are highly visible and not trying to be stealthy.
  • The drones have been reported over restricted areas, such as Trump-owned property, military installations and airports.
  • Air traffic, including a medical helicopter have had to be diverted due to concerns over drone collisions.
  • Their origin, flight paths and landing locations remains elusive.
  • There are unconfirmed reports of drones switching off lights or otherwise trying to hide when pursued.
  • Many have claimed that the drones are enormous in size, frequently described as the size of an SUV or larger.
  • Reports imply the same drones remain in the sky for hours and travel great distances.

It should be noted that such large and capable drones do exist and are available for purchase. The reports of drones “The size of an SUV” or “8 feet in diameter,” if true, do imply that these are not consumer drones, but rather larger, higher capacity drones. Such drones do exist and are used in agriculture, surveying and other professional pursuits. It’s also possible that a large experimental drone could be constructed by hobbyists, as parts and supplies to build large drones do exist.

Continue reading

An Underwriters Guide to Cyber Risk: Managing 3rd Party Risk – Part 3

Posted on by
Reply

Due to the length of this detailed topic, it will be broken into multiple parts. Previous portions here:

An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 1
An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 2

Technical Approvals in Cybersecurity: A Missing Pillar of Risk Management

In traditional industries, technical approval processes are a vital part of ensuring safety and reliability. For example, companies often pay to have their devices tested and approved by organizations like UL, which rigorously test products to ensure safety and reliability. Safety-critical devices—such as fire alarms, fire pumps, and safety doors—require approval before being used by insured parties, giving insurers the confidence that these devices will perform when needed.

Cybersecurity, however, lacks a similar robust system of technical approvals. Without an established process, standards in cybersecurity are often vague and difficult to enforce. For instance, many standards simply state that an organization must have a “firewall” or use “industry-standard encryption.” These requirements are difficult to enforce because they are vague—what exactly qualifies as an acceptable firewall, and who verifies it? There are many products that could meet these requirements on paper, but without an approval process, there is no consistent or provable standard of quality.

Technical approvals are ultimately an absolutely necessary step to establishing universally high standards. This is what will, eventually, end the problem of high levels of third party risk forever. It is an unavoidable part of standardizing risk management in technology and reign in losses. It will, unfortunately, be difficult to make great progress in cyber security until such time as a robust system of independent testing and approval is established. This will create the “ecosystem of trust” that is necessary to enforce security.

A Well-Established and Necessary Process
It is unusual that cybersecurity proceeds without technical approval, but this reflects an outdated mindset in IT, where buyers assume all risk without warranties or guarantees. Technical approval is a well-established process in many industries, providing independent verification that a product meets specific standards and ensuring accountability. It is no longer the 1980’s, and software and IT products are no longer specialty products or experimental, but this mentality still persists.

Continue reading

Just How Bad Are We Doing With Cyber Security? Lets look at the past week…

Posted on by
Reply

So just how bad is ransomware and cyber security in general? To get an impression, lets look at the past week. Just over the past 7 days, there have been over a dozen major ransomware attacks, though a few have not been well reported in the news media. The fact is, we have fallen for a kind of creeping normality. It’s not normal and it should not be considered a routine thing to see this happen.

Starbucks Impacted By Cyber Attack
Stop & Shop Hit By Cyber Incident – May Result In Bare Shelves
Supply Chain Management Vendor Blue Yonder Succumbs to Ransomware
The City of Odessa, TX Experiences a Cyber Incident
Weeks Later, Problems Persist At Hannaford Supermarkets
Wirral University Teaching Hospital Experiences Major Cyber Incident
Retailers Struggle After Attack on Supply Chain Provider Blue Yonder
RRCA Accounts Management Falls Victim to Play Ransomware Attack
Aspen Healthcare Services Announces Data Breach
Zyxel Firewalls Targeted in Recent Ransomware Attacks
Fintech Giant Finastra Investigates Data Breach

Continue reading

Does your kid play video games? Sue about it!

Posted on by
2

Ah yes, we are as overly and overtly litigious society, and there is no doubt about it. Certainly not when an old scheme comes up, yet again. The evil daemon? That’s right, video games. Video games, along with comic books, and that dang-blasted rock and roll music – this is why kids these days don’t know the value of a dollar!

Leaving aside the sarcasm for a moment…

Video games have been demonized as addictive, a waste of time, an encourager of violence and a gateway to satanism, ever since they first debuted in the 1970’s. Today most adults are used to the banter, because anyone under the age of 60 grew up with it. Video games tend to be the low hanging fruit for what people think is offensive and dangerous. They always have been, but now that it is so familiar, it seems less likely that anyone would take it seriously.

Well, there are law firms who feel otherwise.

Here are a few ads that I came across on social media, over the past few weeks.

Continue reading

How The Failure Of Cyber Security Cost Harris the Election

Posted on by
Reply

Many do not realize this, but Donald Trump largely won the election because of cyber security failings by the current administration. Don’t believe me? Cyber security losses are a huge factor in inflation and have caused a massive economic problem, which has decimated healthcare and cost billions to government agencies, all while financing Hamas and the war in Ukraine.

These macroscopic problems may not seem to be linked to cyber security losses, but they are. While politicians like to pretend it is a minor, specialized issue, the fact is that cyber losses are now decimating business and hurting the monetary supply. They are a huge factor in why American businesses are failing and why it is harder than ever to compete. The pain that Americans feel at the gas pump, when they get their pay check, pay for insurance and the problems in the world are not 100% caused by poor management of cyber risks, but that is part of it.

The biggest problem, as I have stated before, is that we simply cannot improve things until the insurance sector cleans up its act. The moral crisis we now are seeing is caused primarily by the insurance sector, which has made the decision that it is fine to lose money on cyber security and it’s fine to raise rates. They’ve created a monster, and that monster can’t be kept at bay until regulators wise up and recognize that insurance must be held accountable for the disgusting and despicable conduct of cyber security underwriters.

Continue reading

Why is Ransom Paid? Panic, Perverse Incentives and Bluffs. 

Posted on by
6

It is rarely in the best interest of the victim to pay ransom! Although the narrative often is “Because they have no choice” or “It is to protect people from the leak.” This is a complete myth, and it tends to be advanced by those who have paid ransom before, as a way of covering their terrible and avoidable behavior. Nobody owns this untrue narrative more than the insurance underwriters who normalized this behavior.

The problem with something like ransomware is that most companies are willing to pay ransom, and as long as this remains true it will be a persistent problem and only get worse.  Ransomware has become so entrenched and is so easy and cheap to pull off, it will not subside until it becomes substantially difficult to succeed in a ransomware attack and make money doing so.  Unfortunately, there have been no efforts to reduce ransom payments.

It is important to never forget exactly what is paid for, with money American companies pay
(Source)

When ransomware gangs lock down a system, they are frequently the first people the victims hear from and they will do their best to instill fear, create panic and make the situation seem much worse than it is.  They will often claim that they will soon delete the data or raise their price for restoration.  Paying for data restoration is never necessary, if even the most basic of precautions have been taken to back up data, but that is often not the cast and 80% of organizations facing ransomware do not have adequate backups.   The situation is common, though always avoidable, and at least half of ransom payments are motivated primarily by the need to release systems and have data returned, not to avoid it leaking.

In many cases, companies have felt it was more reliable or faster to pay ransom, and with gangs so skilled at instilling fear and manipulating American companies, it is not uncommon.  In some cases insurers have even insisted that victims pay ransom against their will.  HSB is one of the few that still does this, forcing victims to pay ransom even if they felt it was not necessary, simply because the insurance company felt it was cheaper or safer to do so. However, the practice has never gone away completely from most insurers. Because the claims staff frequently receive kickbacks, they will tell organizations they are best off paying, even when they are not.

Unfortunately, it is not cheaper or safer to do so, and this is especially true if you do have backed up data.  The restored data is 100% assured to be contaminated with malware and backdoors and the incident response will be far worse off. Paying ransom almost doubles the average cost of cleaning up an incident in the end.  It also dramatically increases the chances of future attacks.

Continue reading

An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 2

Posted on by
1

Understanding and Preventing Zero Day And Other Software Supply Chain Attacks

This is the second post in the series, intended to help better understand how third party risks can be managed, and addressing the problem of misinformation from high raking sources. Because of the pervasiveness of the myth that third party risks are unmanageable, primarily due to the insistence by insurance executives that “Well I don’t understand it, and therefore it can’t be done.” But because of this toxic insistence, it is necessary to break things down and provide detailed supporting information.

In this post, we will look at zero days and unpatched vulnerabilities as a type of exposure to third party risk. Zero days are similar to supply chain attacks, and many of the same methods for controlling zero days apply to supply chain attacks as well. MOVEit is an example of a zero day attack, which caused massive damage to the US and global economy. It illustrates exactly how these attacks work.

In some ways, it was the kind of systemic attack that insurers are constantly complaining about. However, it also illustrates all the ways the damage could have been prevented. MOVEit was bad, but it was also tragic, because so much of the loss could have been prevented, if we had our act together on this.

Continue reading