Possibility is not Probability

Rich Mogull wrote a posting regarding possibility & probability that has been on my mind for the last week or so.  In this post (which I encourage you to read) Rich calls out an important truth, the likelihood that something COULD happen does not represent the same level or risk that it WILL happen.  While I agree with the statement itself, I find myself on a different side of the line regarding his conclusions.

Rich posits that because “the odds of an average Mac user being infected by any type of malware are so low as to be unmeasurable”, protecting a Mac against malware isn’t currently worth doing.  To this, I disagree fundamentally.

To his point, in 2005 the population of Arizona was 1,466,296 people.  Of that number, 5,001 cases were reported of physical assault.  Meaning, the percentage of people assaulted in Arizona (in 2005) was .38%.  Not even 1/2 of a percent of the people in Arizona were assaulted.  The reported number of rape victims at the time is even lower.

Knowing that isn’t entirely sufficient in determining individual probability and risk, (as other factors like where you spend time, who you are around, and what you do have strong implications) you still have to ask yourself if you’re willing to risk it.   With the numbers being so low, does this mean you shouldn’t carry mace if you are a woman?  Does this mean it’s silly to have a knife or gun to protect yourself?  Should you not learn to defend yourself at all?

Some people will decry this post as being fear mongering… but let me very clear about my view on this:  The security field isn’t basket weaving.  I secure the systems I build for the same reason I lock the front door to my house.  Bad guys may try to get in and do harm.

If the damage that could result from a compromise is high, it’s likely worth the mitigation.  The result of not addressing this type of risk is exactly how you end up with a port hole on top your death star that if touched properly blows your whole investment to pieces.


To confuse possibility and probability is a mistake.  I am not advocating that you start working on a strategy to protect your home from airplanes that may crash into it.  Chances are still, in fact, quite low that will happen.

What I am advocating is that removing (or reducing) a threat, regardless of it’s low probability, may sometimes be the most rational and sane thing you can do.  It’s because there is a chance that, despite the reasons, my house may not be safe to stay in I have escape plans for the family.  The cost of not addressing the concern is simply to high.

Post a comment or leave a trackback: Trackback URL.


  • jamie  On May 19, 2010 at 10:20 pm

    i think all it means is that i won’t bother to carry mace or a gun when walking around anywhere in arizona. in harlem or compton… different story.

  • pinvoke  On May 19, 2010 at 10:26 pm


    As I sort of hinted at, much goes into determining individual probability of risk. There are sections of Arizona that are just as violent (maybe even more so) as Harlem or Compton. Either way, I still wouldn’t suggest not carrying something to protect yourself. Especially not if you keep hanging around with those Google folk. I hear they like to assault your data and steal your soul. 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: