GAMBLES AND RISK
Something that has been on my mind
recently is the things we all choose to do. I am not only talking about
in technology but also generally. You see whenever we decide to do
something we only do so after we have done a risk assessment regarding
the choice. This may be a conscious or an unconscious process, but it
happens regardless. Now there are of course factors which still make it
difficult, such as when we actually do not have all the information
needed, but we still try to use what we have.
What I am talking about is when we
fail to differentiate between a gamble and a risk. Allow me to explain
because while both terms sound familiar, they are very different. I
define a "risk" as something
which even if the action fails and you 'lose', the loss does not
cripple you. Yes, you may suffer a temporary setback, but it is not a
total disaster. I liken this to buying one lottery ticket a month. The
chances are astronomical of winning, but losing that small amount of
money will not kill you (bear in mind I am speaking generally here). A "gamble"
is what I define as something you cannot lose, because losing will be a
major disaster for you, something from which you not be able to
recover. I liken this to playing russian roulette, if you do not get it
right, you ..uhhh ... will not be recovering from that.
Now a lot of problems come about
when people do not get it right in telling the difference between a
gamble and a risk, and so they find themselves placed in really bad
situations, where they have to keep raising the stakes (which is just
delaying the inevitable) or they have to do something they normally
would not consider doing in order not to be wiped out by the
consequences of their actions. Now you may not see how this applies to
technology or security right? What about K.T Ligesh? Name ring a bell?
His company developed a HyperVM which had a zero-day in it, it was
exploited and thousands of hosted websites were deleted. Mr. Ligesh
hung himself soon afterwards. Argue all you like about his state of
mind, but having this happen because of software he helped develop
could not have helped his happy feelings.
How often do we make choices about
who we deal with, how we deal with them, what we allow, what we
justify, etc? Are we always taking 'risks'? or are some of those
choices 'gambles'?
And this entire process is made
worse by our own blind spots. There is a song called "The devil went down to Georgia",
the song is about the traditional bet between the devil and a mortal..
"Now you play a pretty good fiddle, boy,
but give the devil his due:
"I bet a fiddle of gold against
your soul, 'cos I think I'm better than you."
The boy said: "My name's Johnny and
it might be a sin,
"But I'll take your bet, your gonna
regret, 'cos I'm the best that's ever been."
In the song, Johnny goes on to give
the devil a beating. Nice. But not realistic. We all think we are 'the
best that's ever been', but guess what? we are not. We may have some
strengths, but too often we let those blind us to our weaknesses. There
is an actual term for this 'metacognition',
this is generally defined as..
"Metacognition
is the awareness individuals have of their own mental processes and the
subsequent ability to monitor, regulate, and direct themselves to a
desired end."
Sounds nice hey? What that means in
essence is that the skills that equate to competence in a particular
domain are often the very same skills necessary to evaluate competence
in that domain—one's own or anyone else's. And what that means is that
incompetent individuals lack the knowledge to actually know they are
incompetent. Think about that for a bit. We all should be able to admit
that there are multiple areas in which we are incompetent, and that may
be an easy thing even. But it seems a lot more difficult to say I am
partway competent - a little bit of knowledge is truly a dangerous
thing.
Now all of this combines to have us
make choices we should never have made, and we end up gambling when we
think we are only taking a risk. Do you know the difference?