On Friday I asked a simple question over Twitter and then let myself get dragged into a rat-hole of a debate that had people pulling out popcorn and checking the latest odds in Vegas. (Not the odds on who would win – that was clear – but rather on the potential for real bloodshed).
And while the debate strayed from my original question, it highlighted a major problem we often have in the security industry (and probably the rest of life, but I’m not qualified to talk about that).
A common logical fallacy is to assume that a possibility is a probability. That because something can happen, it will happen. It’s as if we tend to forget that the likelihood something will happen (under the circumstances in question) is essential to the risk equation – be it quantitative, qualitative, or whatever.
Throughout the security industry we continually burn our intellectual capital by emphasizing low-probability events.
“Mac malware might happen so all Mac users should buy antivirus or they’re smug and complacent”. Forgetting the fact that the odds of an average Mac user being infected by any type of malware are so low as to be unmeasurable, and lower than their system breaking due to problems with AV software. Sure, it might change. It will probably change; but we can’t predict that with any certainty and until then our response should match the actual (current) risk.
Bluetooth attacks are another example. Possible? Sure. Probable? Not unless you’re at a security or hacker conference.
There are times, especially during scenario planning, to assume that anything that can happen will happen. But when designing your actual security we can’t equate all threats.
Possible isn’t probable. The mere possibility of something is rarely a good reason to make a security investment.
Reader interactions
21 Replies to “Possibility is not Probability”
>>
Ben,
My understanding of your position from the debate on Friday is that we do not have the data to say that Mac users experience near zero levels of malware, and Mac users should thus take precautions like AV.
You’ll notice I left your name off the quote above since it was a combination of a few responses, only one of which was yours. You obviously took it personally, which wasn’t the intention and the reason for not naming you. Read the other @replies and my fake quote makes absolute sense.
Don’t think it’s all about you- it isn’t.
On to responding to your specific concerns:
1) No, I said exactly what I mean. The point is not folly, and is a common problem in both our industry and risk assessment in general. I meant that possibility is not probability, just as probability is not certainty. There is no logic flaw in that statement, using accepted definitions of possible, probable, and certain.
2) Please review the Symantec, McAfee, and various other malware reports. Look for two trends- rise of detected Mac malware, and rise of infected Macs. I don’t have time to pull all the reports, and I know you know where to find them. Your statement is based on ignorance, mine is informed. There is anti-malware on many Macs, cloud based filtering, and detection of source systems for attacks. All of these back my statement. No, I’m not showing the data here, but I just don’t have time to pull it and it’s well known and widely available.
My assertion is well backed by multiple sources of evidence which are publicly available and easy to find. We are talking about malware vendors admitting there’s little for them to fix, so I consider it more reliable than these reports often are.
3) Yes, this is a problem with our industry and a mistake I’ve made in my past. We aren’t perfect, and there are numerous examples. I do agree the vendors take much of the burden, but how about those PKI deployments pushed by practitioners?
You may not have played this game (which I doubt), but many in our industry at the practitioner level have and do. It’s the nature of working in a risk-based profession, and human behavior.
4) Don’t blame me for your inability to understand the context. Risk is the loss or potential for loss (the RMI definition). The current risk is the potential for loss, which is a combination of the chances of the event and the potential severity. Since my post focuses on probabilities, I assumed the reader would understand that I’m referring specifically to the chances of a user encountering and being infected by malware.
Seems clear to me. Plenty of context since that’s what I spend the entire post talking about.
5) I can’t see you making a point here- other than trying to make this personal. This is a nothing but a straw man, since it does not represent the content of the post nor my position.
Now perhaps you are offended in that I used to term probable to equate that something is likely to happen (odds over 50%) as opposed to the the scientific definition where a probability is the specific measurement of exactly how likely something is (the exact percentage, or other scale of measurement).
Don’t assume that is a lack of knowledge or an error. Using the colloquial in an informal blog post doesn’t make the conclusion incorrect; this isn’t a scientific paper and so far you are the only one who is concerned with the usage.
@Ben
>>”This whole
Another fundamental issue is that we suck at quantifying how any given security measure impacts the probability of a vulnerability being exploited.
So, we can’t accurately predict if a thing will happen thus we don’t know if it is worth acting against, and when we do act against it, we can’t accurately predict if the action will diminish the risk or by how much if so.
Funny… my MS is in CompSci, but I’ve yet to see the science and it is continually depressing.
You make a large number of errors in this post…
1) You should really say “Possibility is not certainty.” This whole “possibility is not probability” phrase is pure nonsense because at their root they all deal with chance. Relying on colloquialisms to make your point is folly here.
2) “…the odds of an average Mac user being infected by any type of malware are so low as to be unmeasurable…” – You’ve yet to provide a basis for this assertion. I maintain that so few people are looking for Mac malware that this is a self-fulfilling prophecy of the worst kind (because it’s based in blind ignorance rather than informed study). If you’re so sure this is true, then you will do us all a favor and thoroughly document your assertion. Until then, I call foul.
3) “Throughout the security industry we continually burn our intellectual capital by emphasizing low-probability events.” – This is apparently the Securosis theme for the month? Blame infosec professionals for the failings of vendors and the FUD of vendor marketing? This is patently insulting tripe that has no business being directed at those of us in the field trying to get stuff done. It’s also patently false for practitioners. I don’t know anybody serious in this industry (except maybe Anton) who thinks FUD-based arguments looking at low-probability events is useful or important. On the flip side, it is sheer lunacy in certain planning cycles (e.g. BCP/DRP) to ignore high-impact low-frequency events like natural disasters, so be careful how you phrase it.
4) “…we can’t predict that with any certainty and until then our response should match the actual (current) risk.” – What’s your point here? You’ve made an arbitrary “risk” statement without contextualization, and thus it’s absolutely meaningless. Quit talking about “risk” as a general term because it’s absolutely meaningless without proper contextualization in a given business environment. You’re guilty of the use of risk as FUD, which is ironic given the thread on Friday.
5) “Possible isn’t probable. The mere possibility of something is rarely a good reason to make a security investment.” – And here we revisit the basis of your thesis: semantic games. Every security decision is based off possibilities, and to suggest otherwise is ignorant. If there’s no chance that something will happen, then why would we ever invest resources into it? The problem, again, is that you’re using these terms in colloquial ways, not in a way that is meaningful, especially from a statistical or scientific perspective. Go read the definitions, I think you’d be surprised just how ignorant and wrong your use is here.
For the record, you’ve completely misconstrued my argument from Friday, which had absolutely nothing to do with either “possibility” OR “probability.” Really classy, Rich.
“I would be willing to bet that the vast majority of security professionals have little or no training in this stuff, beyond basic probability.”
I think you are being overly generous on how much most of us know about basic probability. 🙂
Here’s one more example of how the probability of events are poorly managed. Consider how many organizations impose draconian security controls to avoid some highly improbable threats, but those very controls make it *highly probable* that users, managers, and administrators will circumvent the controls because they find them too burdensome.
I’m starting to like you more and more every day.
I agree completely. It also ties in with increasing a focus on incident response, rather than completely on prevention.
Excellent, Rich. I’d add this: Security specialists and their partners need to have skills to deal with *both* the space of possibilities and also probability estimation (on the way to risk estimation and management).
We need to constantly explore and monitor the space of possibilities to minimize unknown-unknowns and to rule out certain threats as improbable. It is also essential for agility, i.e. preparing for emerging threats, or at least being in a position to adjust if they become probable.
I would be willing to bet that the vast majority of security professionals have little or no training in this stuff, beyond basic probability.