Risk assessment – when to bet and when to fold
5 min
Understanding risk in everyday life
I turn on the TV and see commercial after commercial promoting online casinos and gambling. With all time low interest rates here in Sweden, the gambling business is flourishing. I see a woman sitting at a kitchen table, a look of despair on her face as she looks at unpaid bills. In the next scene she buys a lottery ticket, expression turns blissful. Last scene she is flaunting money all around. It is like seeing a typical reverie from people who are bad at assessing risk.
We are constantly at the mercy of risk, a fact which businesses and people are eager to make money from. Have you ever thought about buying life insurance? Mathematicians employed by insurance companies have created models that calculate the probability of you dying using statistical data. Factors that are taken into account are for example your gender and age. This will affect the insurance you can receive relative to the premium you will have to pay, so that it benefits the insurance company.
When you apply for a bank loan, the bank will calculate the probability of you defaulting on the loan and give you an appropriate interest rate to account for this risk so that the bank still profits. When you buy lottery tickets the game is mathematically rigged against you. The price you have to pay for the ticket, the probability of you winning and the amount you can win is not adjusted in your favor. Businesses and people that master the art of rationally assessing risk will make better decisions and in the long run make huge profits.
How do you rationally assess risk?
But how do you rationally assess risk? Risk assessment is the overall process of identifying and analyzing risk, think risk versus reward. As we touched on the subject of gambling, let’s take Texas Hold’em poker for example, a great way of training risk assessment skills and even taught at MIT.
Your hand is the 7 and 8 of diamonds and you are at the turn, meaning the dealer has dealt four cards and only one more card will be dealt after you and your opponent have finished betting.
The pot is 200 dollars, the money you and your opponent are trying to win. Your opponent goes all in with 500 dollars, making the pot 700 dollars. You only have two choices, either put 500 dollars into the pot as well and show your cards, one more card will then be dealt and the best hand will win the 1200 dollar pot. The other choice is that you fold, meaning that you give up and let the opponent take the pot.
What should you do?
If you call the 500 dollars and get to see the last card, the only reasonable way you can win is if you get a straight, meaning either a 5 or 10 will be dealt on the river. Right now you only have 8 high, meaning you would even lose to many total bluffs from your opponent.
The probability of a 5 or 10 being dealt from this position is based on there being eight winning cards out of the remaining 46 unseen cards.
There is 700 dollars in the pot so 120 dollars is a rational amount to pay in order to win the pot. This will make you break even in the long run. If you had to pay say 70 dollars to win the 700 dollars, you would make a great deal and profit over time.
The thing is your opponent is forcing you to pay 500 dollars in order to see the last card, giving you horrible value for your money. You make the rational decision and quickly fold because you are not a mindless gambler.
Risk assessment in information security
Being able to assess risk is a crucial part of life and very important when working with information security. A popular quantitative method for assessing risk in information security is calculating the annual loss expectancy, ALE.
Let’s imagine that online gambling websites in Sweden are starting to suffer DDoS attacks in an attempt from hacktivists to disrupt their operations. Their management asks you, now working as a security consultant, what to do.
You suggest purchasing a new cloud based web application firewall from a well established vendor. It will cost 7000 dollars each year. Initially, they believe it is too expensive. After performing a risk assessment, you show that the WAF will actually save them money.
Annual Loss Expectancy ALE
From historical data, the company suffers one successful DDoS attack every two years. This means a 50 percent yearly probability. The average cost of one attack is 20000 dollars. The WAF would reduce the probability of a successful attack to 5 percent per year.
From historical data, the company suffers one successful DDoS attack every two years. This means a 50 percent yearly probability. The average cost of one attack is 20000 dollars. The WAF would reduce the probability of a successful attack to 5 percent per year.
ALE without WAF = Annual rate of occurrence × Single loss expectancy
ALE without WAF = 0.5 × 20000 = 10000 dollars
ALE with WAF = Annual rate of occurrence × Single loss expectancy + Annual cost of safeguard
ALE with WAF = 0.05 × 20000 + 7000 = 8000 dollars
After presenting this data, management realizes they would save 2000 dollars annually by implementing the WAF and become more supportive of the investment.
Companies need to understand that security is not just a compliance cost. It mitigates risk and can even save money. If the ALE had been higher with the WAF, for example 12000 dollars instead of 8000 dollars, the recommendation would be to not implement it.