Risk, chance and illusion

When I make a website for someone, people who are scared of hackers usually tell me:

¨I don´t want to run any risks!¨


This is a statement I can only dismiss logically. If you don´t want to run any risks you are basically not going to get what you want. This is because people misunderstand risk and chance.
Risk is always present, even when you spend the day in bed with a blanket over your head, there is still a chance you might die, get burgled, get sick etc etc.

So in my answer I have to allow for that fact and don´t go logical on them.. Instead I tell them how low (or high, but in these type of situations people want you to tell them how low..) the risk is of using a website in the right manner and what behaviours will increase the risks.

So basically we have a psychology that wants to be reassured. We don´t need another thing to worry about. But if you bury your head in the sand, a lion might eat your ass.
And worrying to much will lead to an early grave because of stress.

How much should I worry?

Just the right amount. The only thing is.. How to know what is the right amount of worry, what is the right behaviour in any situation? For that, risk needs to be assessed. And to do that consistently in any situation you WILL need some math: Probability theory and more specifically the expected value.

The expected value is what you will get ON AVERAGE. It doesn´t mean what you get, because you don´t know. But if you repeat an action a million times, your average result will be very close to the expected value.

Huh?

For instance, I have a very simple lottery. You give me a EURO. You will roll some dice. If you throw a five or a six, you double your money. Anything else, you loose.
Now most people will be smart enough to see, this is not a good bet. But let´s work it out, to see how the expected value can show us that..

The chance of rolling a 5 OR a 6 is easily calculated. There are 6 possibilities and 2 of them are considered a win. 2 out of 6 or 2/6 = 1/3 is 33% chance of a win. (In probability theory this is usually written as 0.33, a 0.33 chance of ....)

The expected value is the result of all chances x all results. The result if we win is  (double our money or 1 EURO extra). We have to do 1 times the chance of winning. So 1 x 0.33. I can expect to win 33 cents.
So that would mean it is a good bet?
No, because we have only calculated part of the chances.. Only the winning part.. The expected value is the sum of all parts.
There is 4 possibilites of loosing a EURO out of 6, so 0.66x-1, which is -0.66
These values we have to add up, so 0.33-0.66=-0.33
Each time I play this game, on average I will loose 33 cents.
-0.33 is the expected value, this is why it´s a bad bet..

Now this seems a trivial example, but this kind of reasoning will lead people to play the lottery. They focus on winning. They say things like: someone has to win.
Also they are affraid of missing out and they don´t mind the occasional entrance fee.
But if you look at lottery chances, which are usually one in several MILLIONS, something goes wrong.
If the prize is big enough and the chance not communicated, people will fall for it.
And on average, it will ALWAYS pan out the same. A friend of mine called lotteries ´stupidity tax´.
I would like to paraphrase that to ´bad risk assesment tax´. This is because even very clever people can be incredibly bad at risk assesment when there is an emotional component.

So how much should I worry?

In the case of a website, we are looking at a cost-benefit analysis. Allowable risks depend on what you want a website for. If having a website gives you money somehow, you should have a fair idea of how much money this is going to be. Which means you have to know about conversion and traffic building etc. 
But let´s say you know that stuff and you figured out, you can make 200,- euro a month on a website.

What are acceptable risks? Well any risk with an expected value of less than 200 per month, will give you a profit, so you´ll have to estimate how much things will cost.
If you run a very small webshop for instance, you could have the following problem:
-Someone might hack your password and get in as you.
What could this person do. He could cause you a lot of damage on image and this might put you out of business, but you cannot count this as a cost. You might go 8 months without any incident and be 1600 in the plus. It´s still a nuisance, but you did it once, you could do it again.
The cost would be of setting up the website again and restarting your webshop, knowing everything you know now. I have no idea how much that is going to be, but let´s say it is going to be 8000,-
You might say, oh my god, that´s really bad, I am not going to do that..

Now we need to figure out, how high the chance is, that you get hacked in this way.
To do that you need to know about hacking a bit.

In the case of a login, there are a number of risks.
-A hacker migth try to guess your password (most passwords are something like test123, there is a list of the top million passwords, hackers use these, you should too) With a sufficiently complicated password of 8 characters on only lowercase letters and numbers, the chance of guessing it is 1 in 20.000.000.000.000, so that´s not bad.
With an average of 1 second per login attempt, this will take a hacker 635000 years. You have made a fortune by then and the chances of this are negligable.
This is why hackers are smarter..

-A hacker might use a program to automatically try to log in and guess your password. (BRUTE FORCE). There are some things you can do agains this, like close your account automatically if there are too many failed attempts. In that case, you don´t have to close your business, just reopen your website, at maybe 400,- euro of lost business and labour of some ICT geek like me.

-A hacker might use a known exploit of the software you are using. This is why we update our software. Most popular software fights a constant battle against hacking and if you do not update, you are going to get hacked. So this will be your maintenance fee.

-You might decide to go with a lesser known software, so there are less hackers that even know about it and are working to find exploits. This is called security by obscurity and you are betting on the smarts of the team that does the software. Unless you are an absolute security ICT-expert, who can recite the OWASP top 10 of any given year when awoken in the middle of the night, I would recommend against this.

-A hacker might INVENT a BRAND-NEW exploit just for your site or software. This is called a zero-day exploit and they exist, but they are rare. Hackers that can actually do this become more and more rare and let´s be honest, you probably cannot protect yourself against them anyway. We are talking CIA type spy shit here.  These people have better things to do and chances this happens for your measely 200 euro´s or even the content of your bank account are even smaller than guessing a password.

-Someone might trick you into giving up your password. Look into social engineering. Choose a password that cannot be guessed, store it somewhere safe, don´t share the password. It´s as simple as that and probably you will think you are less easy to fool than you actually are. Go to a hypnotist, cluck like a chicken and watch the video of you prancing around, clucking like a chicken and then decide that nobody is going to get the better of you. Chances are never zero, but if you prepare, you are a hard nut to crack.

So if you protect yourself agains this type of break in, the chance of someone breaking in are negligable. BUT, and I stress this, they are never 0.
Your mother-in-law might have a stab at your password by doing a keyboard smash and it MIGHT be your password. Unlikely, but anyone guaranteeing anything is lying to you and not being realistic.

Now there is more to worry about than just a false login, but let´s say that´s the ONLY risk,
We do the same for each scenario, we asses the maximum damage and we multiply by the actual risk.

So someone gets in, guessing your password, cost: 8000,-, chance, 1 in 20.000.000.000.000, so expected value: -8000/20.000.000.000.000=-0.00000004 cents..
You do all the expected values of all scenarios and if they do NOT amount to -200 or more, you are golden. You are doing it right.

You can have a security expert help you dream up scenarios and get an idea of how likely they are (per month) and what unexpected damages might be. (Like lawsuits etc) This will then give you enough information to put in your speadsheet of risk-assesment.

expected monthly income per month 200
scenario  cost chance-> expected value
password 8000 0.001 => -8,-
CSRF      8000 0.01 => -80,-
etc etc..
This will give you a total of 200-88=112,-
Maybe not what you want to hear, but if you accept that managing risk costs money, you don´t have to worry anymore.

That´s clear, what is the illusion?

That´s the illusion. It´s not clear, it seems clear. We say to ourselves: I can do that..
But estimating relative probabilities is counter-intuitve for humans. Especially if emotion comes in at some part. And humans are worse at managing probability than other animals, even though we are clearly much more intelligent. It has little to do with intelligence, unless you are SUPER intelligent and even than it´s hard work.
So we must be dilligent and accept we have a problem. NOT trust our instincts, because they are wrong.

The monty hall problem

Famous is the Monty Hall problem (or the three door problem), where almost everybody gives the wrong answer and it was only being solved by someone with a 190 IQ and even then most people will not believe the proos. So almost NOBODY gets it right.
What most people also do not know is that pigeons get it right 30% of the time on the first encounter of the problem and 96% of the time after recurring events: https://www.livescience.com/6150-pigeons-beat-humans-solving-monty-hall-problem.html

Lotteries

If I tell you that when you give me a euro you get a chance I will give it back to you, you will laugh at me. If I tell you there is also a chance I give you 100,- euros, you might reconsider.
Even before I tell you how big (or small) that chance actually is. You assume the game is fair.
It doesn´t need to be and actually mostly it isn´t.
Games of chance are rigged. Take that as a given.
There are ways to beat the system, but they either involve a whole lot of math, or being even trickier than the people who started the game.
However, gambling is not forbidden, like other crimes, it´s regulated. We tell them how much they can cheat, not that they cannot do it and governements either tax the wrong-doers or actually setup lotteries themselves (Netherlands: staatsloterij)
The fact that this can happen, should show you how bad we are as a species at risk management.

Health

We smoke, even though we know it heightens the risk of dying with a terrible disease.
We eat too much, even though we know we have a higher risk of heart attack and diabetes.
In those cases something outweighs these risks and the fact that the results come about after a long period of time makes it emotionally unaccessable. 
This is the case with anything that takes over THREE MONTHS and will give some kind of instant gratification. This is just a built in thing. You can do things to change your behaviour by knowingly rewarding your good behaviour and make slow progress visible.
But we all know how hard this is.

The illusion of understanding of being capable.

We think we know things, but we are only a few questions away from complete ignorance.
For instance you probabbly know how many calories you should eat per day. 
Do you know what a calory is?
You probably don´t know that calories are no longer used in science.
Do you know what amount of calories are in your food?
Therefore you have to look at tables of calories for different foodstuffs and weigh your intake. Or look at the packaging.
How do you know there is as many calories in the food as it says on the packaging?
Did you know combinations of food could result in more calories than the original foods?

It´s the same with everything. You know how to drive, but unless you are a VERY good mechanic, you don´t know how the car works. And even if you were a VERY good mechanic, you would probably get some pre-made parts, that you wouldn´t be able to make yourself.
This is perfectly ok, because we MADE it perfectly ok. In most cases, you don´t need to know.
But that is not the same as knowing, not the same as understanding.

This leads to a much higher opinion of our understanding and capabilites that we should have.
If something out of the ordinary happens, most people do not cope well.

Why are we so bad? What can we do?


Risks are mostly about things that are not ordinary, not familiar. Else we would call it a danger. This is a word for a familiar risk..
But there is a difference in our language, while the truth is there is a risk OF a danger. Like fire is dangerous, but there is still a risk connected to fire which has everything to do with the situation you are in.
The fact that you don´t know how to calculate the risk makes you affraid enough to avoid most cases of fire. So being affraid (or worrying) is what usually keeps us safe if we don´t understand.

Understanding, really understanding, can put your mind at ease.
Unfortunately, it´s a lot harder than it seems. Because you cannot understand everything and to know what you should try to understand, you should know the limitation of your own mind.
And we need to manage worrying as well.

The best step you can take is ACCEPT that risk is always present. Learn about what you cannot do and why you are likely to be wrong in estimation.
And stop worrying about it as an abstraction but only worry about it in particular cases.
Fear itself is not the only thing we have to fear, but it´s one of the biggest improvements you can make not to fear abstractions.

I might write another time about why fear is everywhere these days and fear is the new religion..







Comments

Post a Comment

Popular posts from this blog

The temple that includes all

Image
When you think about it.. A temple is a place where people can go and contemplate. That's nice. But a temple also has an inside and an outside. Some people are in, others are out. That can lead to things I don't like.. Us and them thinking. So I present to you the Temple of Tolerance version 1.0 This temple is so small it doesn't fit even one person. But it's definitely a temple. You can come visit and nobody needs to feel excluded. Everyone is excluded. But then I thought about that.. It should be everyone is INcluded. That just feels nicer and more right. I can only do that if I turn the temple inside out. So here is version 2.0 So we are all inside.. If you look between the columns you can see a tiny bit of outside. Now I don't know what is in the temple yet, but think I know what is outside  (so between the columns :). It's very small things and some things that maybe aren't real. They could be there. Well that cleans up rat...
Read more

The answers to ´wrong´ questions

Mostly nothing.. no touch Matter seen on an atomic level is mostly empty space and the atoms themselves are mostly empty space. Bizarrely, this means nothing ever touches anything else (In the sense that atoms or molecules would ´bounce´ of each other. What happens when two objects bounce of each other is that an enormous amount of small magnetic fields interfere and change speed. But atoms never ´meet´. This trend of mostly nothing is also seen in space. It seems there is predominantly nothing in the universe and really very little everything. This makes the way we usually think about what happens in nature wrong. It´s not logical matter can ´hit´ other matter, it´s quite surprising. There is not really a reason why matter shouldn´t phase through other matter, atoms just moving aside a little. It just doesn´t seem to happen. This makes almost every question we ask about the phenomenal world subtly wrong. Entropy & Time Why does time exist? Entropy according to the second ...
Read more

Truth

THE TRUTH ABOUT TRUTH Ok, I'm spewing A LOT here. If you need a break, follow some of the links and check them out. Everything I say is verifyable. Either by looking at it and thinking: is that true for me? Or by looking up some piece of video or googling some term.. Truth can ONLY exist in a context. Change the context and any truth disappears. If you don't name your context, that is a recipe for suffering. It can make it seem you are speaking an ultimate truth, something worth believing in even without context. There is NO SUCH THING. There is judgements and opinions, facts don't exist. (except in a context and contexts aren't real..) What REALLY is there is mostly your judgements about yourself and your opinions about your opinions.. To make it a little less abstract: 1+1=2 is only true in the context of math and almost nowhere else. In the context of a heterosexual relationship -to name one at random- 1+1 is how babies are made and used to become an un...
Read more