Learn to play poker
Information security practitioners can learn a lot from the game of poker: it’s a good example of the difference between dealing with uncertainty and dealing with risk. Information security is often described as dealing with the risks associated with information security systems, but a closer look shows that it really deals more with uncertainty, and one of the best ways to learn about dealing with uncertainty is to play poker.
Risk management deals with the average losses associated with unpredictable events. In particular, for a given event, we find the risk associated with it by multiplying the probability that the event happened by the loss that we will experience from the event. So an event that happens with a 1 percent chance that will cause $1 million of loss when it happens represents a risk of 1 percent of $1 million, or $10,000.
In the case of information security, however, we rarely know either the probabilities of security-related events or the loss that will accompany such events. If you are running a web server, for example, it’s almost certain that it contains many exploitable vulnerabilities, some of which have not yet been discovered by security researchers. In the face of this almost-certain exposure, what are your chances of being exploited by a hacker due to one of these yet-undiscovered vulnerabilities? And if you are exploited, how do you quantify the damage that you suffer? If you send unencrypted e-mail, what are the chances of it being read by an adversary? If your e-mail is indeed read, how much damage will it actually cause?
Because it’s difficult to accurately answer such questions for most information security systems, the unpredictable losses from using them is probably more accurately described as uncertainty than as risk, and most risk management methodologies don’t work very well with them. This is similar to the situation where a one approach works well to develop strategies for a game like craps but an entirely different approach is needed to develop strategies for games like poker.
The chances of winning or losing in any situation are well known for the game of craps. This is because the outcome of the game is based entirely on the roll of the dice, and these have well-known probabilities. This means that the best strategy is easy to find and to follow. Further, these strategies are essentially unchanged from those that players used hundreds of years ago – the game has remained relatively unchanged from the time that it was played by twelfth-century soldiers in the Third Crusade or mentioned in The Canterbury Tales. You can’t really win at craps – you’ll lose money in the long run if you choose to play it. On the other hand, because the probabilities are well known, risk management methodologies work quite well in finding ways to minimize your losses.
In poker, on the other hand, while the probabilities of being dealt strong hands are well known, the unpredictable nature of opponents makes understanding these probabilities only a small part of a winning strategy. The best strategy for poker also changes over time as opponents also adopt new strategies to counter existing strategies. Because of this, a book on poker written in the 1960s may describe very different strategies than one written in the 1990s, yet both books can describe what might have worked well at the time.
In poker, the actions of opponents can also make a big difference in a winning strategy from moment to moment. If you are holding a moderately-strong poker hand and your opponent makes a large bet, for example, you may decide that your hand is too weak to win, and that further betting is futile. The fact that your opponent may just be bluffing makes such decisions even more difficult.
In this light, the connection between poker and information security is not hard to make. In both cases, participants need to make decisions in the face of uncertain or even inaccurate information. In the case of poker, the uncertainty is caused by the other players, and because it’s in the interest of the other players to adopt a strategy that keeps a high level of uncertainty in the game, it’s unlikely that this element of the game will ever go away.
Information security, on the other hand, deals with reducing the chances of undesirable uncertain outcomes, but both the ever-changing nature of both the information security market and the strategies of attackers make it likely that it will always be impossible to develop a winning strategy that stays useful for long. So even the best security policy and the soundest security architecture will become obsolete fairly soon.
On the other hand, winning poker players have shown that it’s indeed possible to develop winning strategies in such a dynamic environment, so it shouldn’t be surprising that it’s also possible to successfully address the challenges of information security. Perhaps information security practitioners should use the game of poker as a training ground for decisions that they face on the job. After all, although you’ll always lose at craps, winning at poker is definitely possible.