In Lord Dunsany's story 'Jorkens' Revenge', the Munchausen-like Jorkens manages to win an unusual wager with his nemesis, Terbut: Jorkens bets him £5 that it is further from Westminster Bridge to Blackfriars Bridge than it is from Blackfriars Bridge to Westminster Bridge.
The perplexed Terbut then finds that the taxi ride one way is indeed longer than the ride the other way and grudgingly pays Jorkens £5 without fully understanding why he lost the bet. The secret to Jorkens' victory, of course, is that the road between the two bridges is shaped like a semicircle, and driving an arc of a smaller radius gives you a shorter distance than driving an arc with a larger radius.
This example demonstrates fairly clearly that exactly how we measure things can be very important.
Measuring the effectiveness of information security technologies is not as easy as taking a taxi ride and noting odometer readings, but it is a critical part of making the right decision about whether or not to make investments in your corporate IT infrastructure.
It is also important to use careful calculations to measure the benefits from security investments instead of just relying on the intuition of information security professionals, even highly skilled and experienced ones.
This is due to the way in which our brains understand risk, which seems to make us inherently risk-averse. And although being risk-averse may be a good survival strategy for individual people, relying on the same intuition for investment decisions for your business may end up with decisions that are not as good as those that could be made using a careful cost-benefit analysis.
Our inherent bias towards risk-aversion is the cause of the so-called Allais Paradox. This was first described in 1953 by the French economist Maurice Allais, and it shows how the existence of risks can make better alternatives seem less appealing than they should be.
The Allais Paradox can been seen through the choices that people make when presented with the following pairs of alternative games:
Game A: A 20 per cent chance of winning £4,000
Game B: A 25 per cent chance of winning £3,000
Game C: An 80 per cent chance of winning £4,000
Game D: A 100 per cent chance of winning £3,000
Note that the expected winnings from Game A (£800) is greater than the expected winnings from Game B (£750), and that the expected winnings from Game C (£320) is greater than the expected winnings from Game D (£300). Most people will choose Game A over Game B, and will also choose Game D over Game C.
In the first case, they pick the option that gives them the best expected winnings, but in the second case, their aversion to risk leads them to pick the option that has a lower average winnings but a lower risk.
In addition to risk aversion, other ways in which our brains process information can introduce biases into our decision making. We can see an example of this in the 'tram problem' that philosophers discuss.
Suppose that a runaway tram is heading towards a group of five people who will be killed if the tram continues on its present course. Most people say that it is acceptable to divert the tram to another set of tracks that has only one person on them, so that five deaths are prevented at the cost of only one.
On the other hand, if the alternative is changed from redirecting the tram to pushing a single person in front of the oncoming tram to stop it, most people find this new choice unacceptable. In both cases the same number of lives saved is the same, but our brains seem to make the decision differently.
Both the Allais Paradox and the tram problem show that people sometimes make decisions in which they are maximizing something other that the expected return that their actions will bring. Economists and psychologists talk about people maximizing utility, a vague concept that incorporates all of the factors that people use to determine how they put relative values on alternatives.
In the case of the Allais Paradox, many people seem to put additional value on the certainty of outcomes. In the case of the tram problem, many people seem to put additional value on being able to distance themselves from a difficult decision.
By understanding that people are not maximizing just the expected outcome that we can measure in sterling or lives, but also other factors that contribute to the utility that they experience, we can understand decisions that might otherwise seem illogical.
In the case of making investment decisions for a business, however, maximizing utility may not be useful. It may make more sense to maximize the return on an investment instead of relying on our judgment, which is probably based on maximizing the utility of various alternatives instead of their financial return.
In the field of information security, it is likely that investment decisions are still often made based on the judgment of skilled and experienced information security professionals instead of on reliable data that quantifies risks because there is little reliable data which we can use to make careful decisions.
And because even the judgment of experienced people may be tuned to maximizing utility instead of maximizing the return on investment, it may still be the case that the recommendations of skilled and experienced people can give us results that are not as good for a business as they could be.
Because of this, it is important to carefully quantify costs and benefits of security investments and to use careful, analytical decision-making as much as possible; this will tend to provide the best results.