Librarium Whitehat
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


Something that has been on my mind recently is the things we all choose to do. I am not only talking about in technology but also generally. You see whenever we decide to do something we only do so after we have done a risk assessment regarding the choice. This may be a conscious or an unconscious process, but it happens regardless. Now there are of course factors which still make it difficult, such as when we actually do not have all the information needed, but we still try to use what we have.

What I am talking about is when we fail to differentiate between a gamble and a risk. Allow me to explain because while both terms sound familiar, they are very different. I define a "risk" as something which even if the action fails and you 'lose', the loss does not cripple you. Yes, you may suffer a temporary setback, but it is not a total disaster. I liken this to buying one lottery ticket a month. The chances are astronomical of winning, but losing that small amount of money will not kill you (bear in mind I am speaking generally here). A "gamble" is what I define as something you cannot lose, because losing will be a major disaster for you, something from which you not be able to recover. I liken this to playing russian roulette, if you do not get it right, you ..uhhh ... will not be recovering from that.

Now a lot of problems come about when people do not get it right in telling the difference between a gamble and a risk, and so they find themselves placed in really bad situations, where they have to keep raising the stakes (which is just delaying the inevitable) or they have to do something they normally would not consider doing in order not to be wiped out by the consequences of their actions. Now you may not see how this applies to technology or security right? What about K.T Ligesh? Name ring a bell? His company developed a HyperVM which had a zero-day in it, it was exploited and thousands of hosted websites were deleted. Mr. Ligesh hung himself soon afterwards. Argue all you like about his state of mind, but having this happen because of software he helped develop could not have helped his happy feelings.

How often do we make choices about who we deal with, how we deal with them, what we allow, what we justify, etc? Are we always taking 'risks'? or are some of those choices 'gambles'?

And this entire process is made worse by our own blind spots. There is a song called "The devil went down to Georgia", the song is about the traditional bet between the devil and a mortal..

"Now you play a pretty good fiddle, boy, but give the devil his due:
"I bet a fiddle of gold against your soul, 'cos I think I'm better than you."
The boy said: "My name's Johnny and it might be a sin,
"But I'll take your bet, your gonna regret, 'cos I'm the best that's ever been."

In the song, Johnny goes on to give the devil a beating. Nice. But not realistic. We all think we are 'the best that's ever been', but guess what? we are not. We may have some strengths, but too often we let those blind us to our weaknesses. There is an actual term for this 'metacognition', this is generally defined as..

"Metacognition is the awareness individuals have of their own mental processes and the subsequent ability to monitor, regulate, and direct themselves to a desired end."

Sounds nice hey? What that means in essence is that the skills that equate to competence in a particular domain are often the very same skills necessary to evaluate competence in that domain—one's own or anyone else's. And what that means is that incompetent individuals lack the knowledge to actually know they are incompetent. Think about that for a bit. We all should be able to admit that there are multiple areas in which we are incompetent, and that may be an easy thing even. But it seems a lot more difficult to say I am partway competent - a little bit of knowledge is truly a dangerous thing.

Now all of this combines to have us make choices we should never have made, and we end up gambling when we think we are only taking a risk. Do you know the difference?