Picture: from Casino Royale (2006)
I turn on the TV and see commercial after commercial promoting online-casinos and gambling. With all-time low interest rates here in Sweden, the gambling business is flourishing. I see a woman sitting at a kitchen table, a look of despair on her face as she looks at unpaid bills. In the next scene she buys a lottery ticket, expression turns blissful. Last scene – she is flaunting money all around. It is like seeing a typical reverie from people who are bad at assessing risk.
We are constantly at the mercy of risk, a fact which businesses and people are eager to make money from. Have you ever thought about buying life insurance? Mathematicians employed by insurance companies have created models that calculate the probability of you dying using statistical data. Factors that are taken into account are for example your gender and age. This will affect the insurance you can receive relative to the premium you will have to pay, so that it benefits the insurance company.
When you apply for a bank loan, the bank will calculate the probability of you defaulting on the loan and give you an appropriate interest rate to account for this risk so that the bank still profits. When you buy lottery tickets the game is mathematically rigged against you. The price you have to pay for the ticket, the probability of you winning and the amount you can win is not adjusted in your favor. Businesses and people that master the art of rationally assessing risk will make better decisions and in the long run make huge profits.
But how do you rationally assess risk? Risk assessment is the overall process of identifying and analyzing risk, think risk vs. reward. As we touched on the subject of gambling, Let’s take Texas Hold’em poker for example, a great way of training risk assessment skills and even taught at MIT.
Your hand is the 7,8 of diamonds and you are at the turn, meaning the dealer has dealt four cards and only one more card will be dealt after you and your opponent have finished betting.
The pot is 200$ (the money you and your opponent are trying to win). Your opponent goes all-in with 500$, making the pot 700$. You only have two choices, either put 500$ into the pot as well and show your cards; one more card will then be dealt and the best hand will win the 1200$ pot. The other choice is that you fold, meaning that you give up and let the opponent take the pot. What should you do?
If you “call” the 500$ and get to see the last card, the only reasonable way you can win is if you get a straight, meaning either a 5 or 10 will be dealt on the “river” (right now you only have 8-high, meaning you would even lose to many total bluffs from your opponent). The probability of a 5 or 10 being dealt from this position is:
(there are eight cards in the deck that make you win. there are 52 cards in a deck and two of those are visible in your hand, leaving 50. In addition, there are four cards exposed that every player can see, leaving 46 cards.)
But we cannot just account for the probability of winning, but the amount we can win and the price we have to pay for it.
There is 700$ in the pot so 120$ is a rational amount to pay in order to win the pot (0.17 × 700 ≈ 120$), this will make you break even in the long run. If you had to pay say 70$ to win the 700$, you would make a great deal and make more money in the long run. The thing is your opponent is forcing you to pay 500$ in order to see the last card, giving you horrible value for your money. You make the rational decision and quickly fold because you are not mindless gambler.
Being able to assess risk is a crucial part of life and very important when working with information security. A popular quantitative method for assessing risk in information security is calculating the annual loss expectancy (ALE).
Let’s imagine that online-gambling websites in Sweden are starting to suffer DDoS-attacks in an attempt from hacktivists to disrupt their operations. Their management asks you (now working as a security consultant) what to do. You say that they need to purchase a new cloud-based web application firewall (WAF) from a well-established vendor. It will cost 7000$ each year. They say it is too expensive. After having performed a risk assessment, you say that the new WAF will actually help them save money. This is why:
From historical data it was made clear that they suffered one successful DDoS attack every two years. Meaning they have 50% chance of a successful DDoS-attack occurring yearly. The average cost of one attack was measured to 20.000$. The new WAF would reduce the chance of a successful DDoS to 5% each year.
(1) Annual loss expectancy (ALE) without the WAF: 0.5 x 20.000 = 10.000$
(2) Annual loss expectancy (ALE) with the WAF: 0.05 x 20.000 + 7000 = 8000$
After showing the management this data, they realized that they would actually save 2000$ each year from implementing the WAF and became more enthusiastic.
Companies need to understand that security is not just painful costs in order to comply with regulation. It is there to mitigate risk, which could even help them save money in certain cases. If the ALE would be higher with the WAF, say 12000$ instead 8000$, I would not recommend using the WAF as they would lose more money each year.
A risk assessment is about knowing when to bet and when to “fold”, so you do smart investments and avoid dumb ones.