What can security professionals learn from poker?

playing cardsGood poker players are known to perform well under pressure; they play their cards based on rigorous probability analysis and impact assessment. This is very much like the sort of skills a security professional might benefit from when managing information security risks.

What can security professionals learn from a game of cards?

It turns out, quite a bit. Skilled poker players are very good at making educated guesses about opponents’ cards and predicting their next moves. Security professionals are also required to be on the forefront of emerging threats and vulnerabilities to see what the attackers’ next move might be.

At the beginning of a traditional Texas hold ‘em poker match, players are only dealt two cards (a hand). Based on this limited information, they try to evaluate the odds of winning and act accordingly. Players can either decide to stay in the game – in this case they have to pay a fee that contributes to the overall pot – or give up (fold). Security professionals also usually make decisions under a high degree of uncertainty. There are many ways they can treat risk: they can mitigate it by implementing necessary controls, avoid it, transfer it or accept it. Costs of such decisions vary.

Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are right, though, a security professional can start a project to implement a change to increase the company’s security posture.

When the game progresses and the first round of betting is over, the players are presented with a new piece of information. The poker term flop is used for the three additional cards that the dealer places on the table. These cards can be used to create a winning combination with the cards in each player’s hand. When the cards are revealed, the player has the opportunity to reassess the situation and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an impetus to re-evaluate the business case for implementing a security countermeasure.

There is nothing wrong with terminating a security project

If a poker player had a strong hand in the beginning, but the flop shows that there is no point in continuing, it means that conditions have changed. Maybe engaging key stakeholders revealed that a certain risk is not that critical and the implementation costs might be too high. Feel free to pass. It is much better to cancel a security project rather than end up with a solution that is ineffective and costly.

However, if poker players are sure that they are right, they have to be ready to defend their hand. In terms of security, it might mean convincing the board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they did everything in their power to proactively mitigate that scenario.

It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions that bring desirable long-term results. Even the best poker player can’t win every hand. Similarly, security professionals can’t mitigate every security risk and implement all the possible countermeasures. To stay in the game, it is important to develop and follow a security strategy that will help to protect against ever-evolving threats in a cost-effective way.

The Psychology of Information SecurityLeron Zinatullin is author of The Psychology of Information Security, which discusses how to improve an organisation’s security culture.