I don´t believe in probability
Nov 30th, 2010 by Jesper Kråkhede
I rather often conduct interviews of potential candidates to start working at Capgemini. One area that often draws my interest is risk analysis and within that there is a specific topic that always interests me: Probability. Ask any security specialist about the probability of a given risk and they answer with low, medium, high or in some cases with a percentage. Most of us are satisfied with that. But what happens if you ask how they arrived at that number or classification? You´ll most probably get a rather nonspecific answer. And the fun starts when you ask them how they build their cases of probability. Most of them answers with the following story: If you have a computer without a virus protection the risk for it to get a virus is very high.
That is of course an obvious answer. Let them give some more examples and sooner or later they reach the point where they have to say that it is mainly a guess based on experience, most of the time an immeasurable guess. This is my point. We tend to build risk analysis based on our gut feeling without building it on known facts. If you read ‘The sience and politics of fear’ you´ll understand how the brain works in these situations and why our reasoning is flawed. As we very seldom have reliably facts most of our risk analysis we conduct are flawed. This is quite obvious as Wikileaks still get their information, industrial espionage continues to be a lucrative market and that Stuxnet continues to amaze.
So what can you do? I´ll will not explain the model me and my colleagues use in full but sufficient to say it is not built on probability. Instead we build it on a deep understanding of the actions a risk consists of and focus on those instead. We also make sure that when we are conducting workshops we gather a larger subset of our client than is common to make sure we get more input.
No, I don´t believe in probability. For you that understand Swedish: Tage Danielsson ‘Om sannolikhet’. For you that don´t understand Swedish, this monologue is a good reason to learn Swedish. Here is a translation: On likelihood
Unfortunately world is not very deterministic. Sometimes we do not know the facts and while reaching for facts, you might have impact to the facts. On risk analysis we tend to forget the “time” factor. Even the low probabality hits when there is too much time (to brute force).
“God don’t play dice”, said Einstein and how wrong he was?
I can imagine how many of these “Akins rules” are violated on wikileaks incident and is in general very good starting point of doing any design and funny to read:
http://spacecraft.ssl.umd.edu/old_site/academics/akins_laws.html