What can the game of poker teach a trained psychologist about the art and science of decision making? And how might those lessons be applied to help cybersecurity leaders improve their own decision-making capabilities?

In her most recent book, “The Biggest Bluff: How I Learned to Pay Attention, Master Myself, and Win” the psychologist and writer Maria Konnikova decided to spend a year immersing herself in the game of poker, specifically the most popular variant of the game, Texas Hold ‘Em, with the goal of competing in the game’s marquee event, the World Series of Poker.

Konnikova knew nothing about the game when she embarked on her journey but wanted to understand how she might apply her academic training in psychology and decision making to a game that might seem relatively simple and prone to the element of chance to the casual observer yet has confounded some of the great game theorists of our time.  

Like the game of Texas Hold ‘Em, the practice of security is ultimately an exercise in decision making. Specifically, how do you make the best decision possible with limited and incomplete information?

What makes poker special: Asymmetrical information

Asymmetric information theory deals with the study of decisions in transactions where one party has more or better information than the other. We see the dynamics of the asymmetric information model at work every day – it’s what the Internet is fundamentally really good at. It’s also what makes games like Texas Hold ‘Em different than other conventional games.

Checkers and chess are examples of perfect information games. All the information you need to make a decision is right there in front of you which is why these games can essentially be ‘solved’. Conversely, the game of Texas Hold ‘Em is a competition of hidden information. You don’t know what your opponent has and they don’t know what you have. This is why AI researchers have had a long-standing interest in poker as a way of understanding and deconstructing human decisions.

Fundamentally, poker is a contest in decision-making. The successful poker player combines their knowledge of probabilities with an understanding of psychology to help make consistently accurate judgments and consistently logical decisions. And I would argue that sound decision making in security follows a similar arc.

The swinging pendulum of information

In terms of cybersecurity, a good hacker is always trying to game the information asymmetry model – which is why we have seen a marked uptick in ‘Attacker Dwell Time’ which refers to the amount of time a threat actor spends undetected inside the network perimeter. It’s what distinguishes the petty street criminal who smashes a window and grabs whatever might be in their immediate vicinity from the sophisticated Oceans 11 crew that has spent weeks meticulously planning their big heist.

Increasingly, this new breed of cybercriminal is using their time inside the network to conduct intelligence reconnaissance, mapping out how various systems are connected to one another, identifying where the most valuable assets are housed, and plotting the steps required to escalate their privileges.

Whether its physical security or cybersecurity threats, the more information the bad actor has collected about a target over time, the more effective he or she will be in fully exploiting it down the line.

A professional poker player is likewise always looking to tilt the balance of information in their favor. From the visual ‘tells’ that an opponent might inadvertently divulge to recognizing the patterns and nuances of betting behaviors and what those might imply – the ability to collect and make sense of even small pieces of data and turning that into usable intelligence will often mean the difference between a winning and losing hand.

As Konnikova observes, “real life is based on making the best decisions you can from information that can never be complete; you never know someone else’s mind, just like can never know any poker hand but your own.”

Closing the feedback loop

A closer look at the most egregious security breaches that have hit the news show that better decision-making could have prevented many attacks and incidents, or at least mitigated their effects. Following such an event, security leaders often find themselves asking: “what could I have done better?” But perhaps the more insightful question would be: “what piece of missing information might have led to a different decision?”

Generally speaking, decision-making in security can be broken out into two broad categories. The first and most common is an ‘open-loop’ event-based decision-making process in which a security team works to quickly respond to a specific incident. This approach is largely reactive, time-bound, and by its very nature, constrained by limited or incomplete information.

The average security team makes hundreds of these reactive decisions every day as each alert demands an immediate response. The second and more strategic approach is one that incorporates the various inputs back into the decision-making system by closing the feedback-loop, ensuring that the system itself is codified with the learnings and experiences from previous decisions.  

These two decision frameworks are also what distinguishes the professional Texas Hold ‘Em players from the long-tail of amateurs. These pros recognize that they must continuously recalibrate their strategy depending on the variables that are known (e.g., their cards, the community cards, their position at the table) and those that are unknown (e.g., other player’s cards, the community cards that are still to come, etc.). By playing hundreds of thousands of hands over the course of many years, they have honed their ability to not only process and assimilate a greater volume information but also spot the small details that an average player will often overlook.

Of course, in security, the problem isn’t necessarily that we are making decisions with too little information. In fact, the larger problem is that we have often too much information at our disposal and have neither the tools or processes by which to distinguish the signal amidst a sea of noise.

3 lessons for security leaders

While there are many parallels and learnings that can be drawn between the game of poker and security practices, there are three lessons that I believe are most relevant to security leaders in these dangerous and uncertain times.

1. Illuminate your own blindspots and biases. In her book, Konnikova recognizes that one of her shortcomings is that while she is adept at reading the non-verbal cues of her opponents, she hasn’t taken the time to identify the blindspots in her own game. To this end, she begins working with a behavioral psychologist to help her become more aware of her own behavioral blindspots as well as other subconscious biases that might be inadvertently projecting her intentions to her opponents across the table.

Similarly, cognitive biases are perhaps the most underappreciated vulnerability among most security teams today. Because they are so embedded in our sense of self, they represent a glaring blindspot that can be challenging for even the most self-aware individuals and teams to objectively evaluate. Our instincts inform our perception of security. Unfortunately, as so many recent examples have illustrated, how we perceive security can differ greatly from its reality.

2. Mind The description-experience gap. In the field of behavioral science, the Description-Experience gap describes how we tend to overweight the risks of rare events while underestimating those risks that are more likely to occur. As Konnikova observes, “in study after study, people fail to internalize numeric rules, making decisions based on things like ‘gut feelings’ and ‘intuition’ rather than based on the data … but here’s what psychologists find over and over: you can show people all the charts you want, but that won’t change their perceptions of the risks or their resulting decisions. What will change their minds? Going through an event themselves or knowing someone else who has.”

Surely any battle-tested security professional can relate to this sentiment. We can throw all the quantitative data at the business owners but they likely won’t fully appreciate the risk of a data breach until they experience one themselves or read about it happening to another company in their industry. We likewise tend to place our trust in people or things that are familiar versus those that are not. With cybersecurity, this is perhaps one of the reasons why system administrators often fail to patch known vulnerabilities as they tend to give more weight to the possibility that the patch might break other stuff versus the very real possibility that it might cause irreparable damage sometime in the future.

3. Deconstruct your decision process. Konnikova’s poker coach, the legendary poker Champion Erik Seidel, encourages her to not worry about how to play every given hand in every possible situation but rather to train herself to understand, rationalize and articulate her thought process. As he counsels her, “sometimes the cards won’t go your way but so long as you are thinking correctly you shouldn’t beat yourself up about it.” This guidance helps her to break the negative thinking that often clouds our judgment when things that are out of our control, don’t go our way.

The decision-making process in security requires a similar discipline. Even the highest performing security teams are unable to plan for every potential attack or threat scenario. Nor should they. Rather, security leaders should invest their time and energy into helping their team focus on understanding the decision process itself so that they can clearly and confidently articulate the thought process that helped them arrive at a specific decision. Because the hard truth is that most people don’t ask themselves the simple question: what led me to make that decision. This basic exercise also helps foster greater accountability, awareness, and ultimately, will yield better decisions.  

Perhaps the single unifying thread between poker and security is that it ultimately comes down to the same skill: an ability or inability to correctly determine and quantify risk. And like game of poker, security is an endeavor of precision and probabilities which are being continuously assessed, recalibrated and refined. The more you can train yourself to make smart decisions with imperfect information, the more successful you will ultimately be.

If you’re interested in learning more about the dynamics of decision-making in poker and how it can be applied to the domain of security, you can watch this presentation from Maria Konnikova herself in this webcast.