I was recently browsing, when I came upon an interesting article.
It was discussing the Monty Hall problem.
For those of you who don’t know, this problem is based on a US quiz show and has caused a huge amount of debate at various times in the past. The idea is as follows.
A contestant is asked to look at three closed doors and told behind two of them is a goat and behind the other, there is a sports car. Choose the correct door, you get the car, choose incorrectly and you go home with an old goat. (Please add your own joke here)
Monty Hall is the host of the show and he now asks the contestant to choose a door. The contestant chooses a door (1, 2, or 3) and at this point it now gets interesting. Monty (who knows which is the correct door for the car) opens one of the two un-chosen doors to reveal a goat. Monty now offers the contestant the opportunity to either remain with his chosen door or to switch to the other. The question is this – “should the contestant switch to the other door?” Once the final choice of door is made, the contestant’s door is opened to reveal his prize. (Note: The answer is at the bottom of this blog)
So what about the pigeons? Well recently, a couple of researchers trained pigeons to play the game (as a contestant!) – with a few obvious variations – (sports cars aren’t particularly attractive to a pigeon). Lo and behold, after a few days of trialling this, pigeons regularly outperformed humans in the selection of the correct door. Why? Well although it is difficult to ask them – it is believed pigeons work and learn from experience and assess probability differently to humans. In this case, humans get it wrong. Humans seem to over analyse and come to the wrong conclusion.
Humans do seem to be quite poor at assessing probabilities and hence risk. Only the other day I attended an event on Risk Methodologies and Corporate Governance at a leading business college and the speaker mentioned that checking the manufacturer logo on an aircraft engine was one of the things he did when he boarded, as this “was probably the riskiest journey he would take that day”. Really? Well being a bit of a pedant, I looked at the statistics for travel. Naturally there isn’t a definitive answer, it depends on what measure you select (distance travelled, number of journeys taken or hours spent on the transport), but in all three cases the highest risk for a journey is one taken by a motorcycle. In fact in two of the three measures, walking is actually far more of a risk than air travel if you work by statistics. Yet we continue to walk and ride motorbikes without much thought and concern ourselves over flights and engines.
I think of these things when I’m asked to do a security risk assessment. In PCI DSS, there is a requirement to carry out an annual risk assessment and working with clients I have seen a number of these in action. Although there are a number of methodologies out there, I am always interested to see where people focus their time and effort and it often seems to me that the issues which are raised and addressed in these assessments don’t always match the real experiences of what is happening out in the field. Partly this is due to a lack of information but also, I believe, because we humans sometimes don’t assess risks properly. So the next time you need to do a risk assessment – Call the pigeon!
PS: The answer to the Monty Hall Question is Yes, they should change their door choice – it doubles the contestant’s chances of winning!
VeriFone Sail navigating the winds of change?
So what does Point to Point Encryption mean to me as a merchant?
Report from PCI London - Changes in approach in dealing with PCI DSS
‘New Year – New You’ Taking the plunge into PCI Compliance…
Brussel Sprouts and PCI DSS Compliance…
New Solution Requirements Released for Point to Point Encryption