Possibility is not ProbabilityBy Rich
On Friday I asked a simple question over Twitter and then let myself get dragged into a rat-hole of a debate that had people pulling out popcorn and checking the latest odds in Vegas. (Not the odds on who would win – that was clear – but rather on the potential for real bloodshed).
And while the debate strayed from my original question, it highlighted a major problem we often have in the security industry (and probably the rest of life, but I’m not qualified to talk about that).
A common logical fallacy is to assume that a possibility is a probability. That because something can happen, it will happen. It’s as if we tend to forget that the likelihood something will happen (under the circumstances in question) is essential to the risk equation – be it quantitative, qualitative, or whatever.
Throughout the security industry we continually burn our intellectual capital by emphasizing low-probability events.
“Mac malware might happen so all Mac users should buy antivirus or they’re smug and complacent”. Forgetting the fact that the odds of an average Mac user being infected by any type of malware are so low as to be unmeasurable, and lower than their system breaking due to problems with AV software. Sure, it might change. It will probably change; but we can’t predict that with any certainty and until then our response should match the actual (current) risk.
Bluetooth attacks are another example. Possible? Sure. Probable? Not unless you’re at a security or hacker conference.
There are times, especially during scenario planning, to assume that anything that can happen will happen. But when designing your actual security we can’t equate all threats.
Possible isn’t probable. The mere possibility of something is rarely a good reason to make a security investment.
I get the point of your title, Rich, but I think it’s unfortunate to make it under the often-impassioned debate that is Mac malware.
Even despite numbers, there is still debate on what is probable. Some may find it far more probable that Mac malware will occur while others don’t think it is probable while others will say, “If it’s not here, it’s not probable at the present and I’ll worry about it tomorrow only after it actually happens.” Some simply believe you should just run AV, as a matter of best practice, regardless. It is, sadly, a passionate debate.
It might be another bad example (human life is always impassioned), but with Hurricane Katrina wasn’t that an unlikely event and a decision based on some scale between probable and cost? <—feel free to leave that as rhetorical. I try not to dive into that topic too much, as many people know far more about it than I do.
This really reminds me also of Schneier’s (or others, I’m not sure) remarks on risk and how we worry so much about improbable but possible events.
By Chris Hayes
Ben, Do you wear a helmet, five-point harness and a fire suit when you are driving around town? It’s possible that your seat belt and airbag aren’t enough.
By Jon Robinson
No harm, no foul. Rich your point is right on (how is that for captain obvious?). That is the whole point of risk management. Managing the risk of the probable versus the possible, at what cost. It is also related to a recent court case throwing out a data breach damages suit. Just because there was a breach and there are theoretical damages is not enough. You need real damages. No harm, no foul! I have written more about it on my blog at http://www.ashimmy.com/2009/12/no-harm-no-foul.html
By alan shimel
@Rich - Yep, the post was absolutely and positively a vitriolic rant against you. It was, in fact, the very embodiment of an ad hominem argument, despite the interspersing of other arguments that I’m sure will be lost by anybody who wastes their time reading it. I found your interaction on Twitter Friday, along with this post Monday, to be that offensive, both personally and professionally. It is precisely your haughty tone throughout this entire episode that underscores why many of us in the industry find analysts so infuriating.
@Russell - check out dictionary.com definitions, too, which aggregates several sites. My point is simply that there’s inconsistency, that Rich used the terms informally, and now we’re talking about formal definitions, and it’s confusing as heck. Ergo, the point doesn’t carry very well.
Ben and Russell- found your registrations and set you for non moderation.
Ben- after your blog post, which was nothing than a very long insult, I won’t try and engage you in debate again on this (or probably any) issue. You can continue to post here, as long as it isn’t purely inflammatory.
@Ben I can certainly understand how common and informal definitions can get in the way of their use in formal analysis. (The word “security” is a fine example.) However, that shouldn’t be an insurmountable obstacle. If we are doing formal analysis, we should draw on terminology that has been defined in the context of that formal analysis, as I pointed out in my references.
BTW, I took up your challenge and looked up “possibility” in Wikictionary: http://en.wiktionary.org/wiki/possibility . There is no mention of “likelihood” or “probability”, even in the list of Synonyms or Related Terms.
By Russell Thomas
On #1… the definitions are not consistent, it depends on where you’re reading things from… look at mainstream dictionaries and you will find that possibility is being defined as a synonym for likelihood, etc. It’s not a good choice of words. Same goes for your use of probability… I’ve been suspecting that you meant it in the sense of “greater than 50% chance,” but it’s been completely unclear… once again, choice of words - and clear definition - is extremely important…
On #3… why does everybody hate on PKI? it’s not like it just fell off the turnip wagon… the problem was in thinking that every enterprise needed one… I lived through that period, in the field, and I honestly still don’t know where that came from… as best as I can tell, the vendors were again the source…
On #4… no no no no no… this is your favorite definition for “risk” but that is NOT the same as defining risk in a context. Everybody seems to get this wrong. Your definition is only textbook - what does it mean applied? Theory in this case is only as good as it’s application, and “risk” is completely screwed up. You CANNOT go around saying definitively what is and is not a high or low risk for everybody, because every organization is different, their requirements are different, their priorities are different, etc. This is a MAJOR failure in the industry today. Everybody flogs “risk” like it’s some useful generic term, and it amounts to nothing more than FUD. Call me if you want to discuss, because this is a very, very, very important point.
On #5… every security decision is based off of the possibility that something bad could happen… do you not agree? or do you think that decisions are made for arbitrary reasons without any attempt to pin it to something? even FUD is based in the possibility that something might happen, though often exaggerated beyond the reasonable likelihood of the outcome. That was my point, and I think you missed it, too. This point, incidentally, is not ad hominem… if you want that, read my ranty post from today (or don’t, it’s not worth the paper it’s printed on)...
As for registering to skip moderation, I did, and it isn’t…
@Russell - Contrast this against common language dictionaries. You will find that “possibility” is defined as a synonym for “likelihood” which is defined as “probability.” This really just underscores my point that the phrase is a bad choice and doesn’t make any sense. Saying “possibility is not certainty” would make a whole lot more sense.