The Flaw of Averages in Cyber Security

Sam Savage, PhD, founder of ProbabilityManagement.org, author of The Flaw of Averages: Why We Underestimate Risk in the Face of Uncertainty, and consulting professor at Stanford. © Copyright 2015, Sam L. Savage.

The “flaw of averages” is a set of systematic errors that occur when uncertain assumptions are replaced with single “average” numbers. The most serious of these, known as Jensen's inequality by mathematicians, states roughly that “plans based on average assumptions are wrong on average.” The essence of cybersecurity is the effective mitigation of uncertain adverse outcomes. I will describe two variants of the flaw of averages in dealing with the uncertainties of a hypothetical botnet threat. I will also show how the emerging discipline of probability management can unambiguously communicate and calculate these uncertainties.

Botnets

A “botnet” is a cyberattack created by malware that penetrates numerous computers, which may then be directed by a command‐and‐control server to form a network that carries out illegal activities. Eventually this server will be identified as a threat, whereupon future communication with it is blocked. Once the dangerous site is discovered, the communications history of the infected computers can pinpoint the first contact with the offending server and yield valuable statistics.

Suppose you have invested in two layers of network security. There is a 60% chance that a botnet virus will be discovered ...

Get How to Measure Anything in Cybersecurity Risk, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.