Wednesday, October 21, 2015

Biden vs Risk Analysis

What we try to do in cybersecurity is "risk analysis". Most people get this wrong.

An example of this is today's announcement by vice president Joe Biden that he won't run for president. Many pundits have opined that it's because he can't beat Hillary Clinton. This is wrong.

The phrase "can't beat Hillary" makes no sense. It imagines a world were risk is binary, you either can or you can't. That's not how it work. Instead, we calculate the odds of beating Hillary. That number is not 0%. For one thing, a meteor might hit the earth and strike Hillary dead, so there's always some chance of beating her.

Responsible risk analysts ignore the rhetoric and try to calculate the odds. The easiest way of doing this are on the many betting websites, which have variously given Biden a 5% to 10% of winning the presidency. Given that the presidency is easily worth a billion dollars, and you don't spend your own money (just donations), these are great odds. Everybody who believes their chance is greater than 5% runs -- which is why we have over 20 candidates right now.

In other words, would you pay $10 for a 5% chance of winning $1000? Of course you would. In the long run, the expected payout on such bets is five-to-one. Would you spend a year's worth of hard work for a 5% chance to win the presidency? Of course you would.

I suspect the real reason Biden didn't run is technical. He needs a competent team, but I suspect that the most competent people are already working for the ~20 other candidates. He needs party support, but I think Hillary has got all the party power players committed to her. Biden needs some powerful backers to get the ball rolling, to fund the first steps to get the stream of donations from the common people coming in, but I think they've all spent these season's budget on some other candidate. Or, maybe Hillary has dirt on him, and he's being blackmailed not to run. Whatever the reason, it's something technical like this.

In conclusion, risk is math, not rhetoric. Statements like "Biden can't win" or "computers aren't secure" are nonsense. Actual numbers are what we should be paying too.

No comments: