“Mathematics and psychology.” That’s poker (including Texas Hold ‘em) according to the legendary poker player Mike Caro. That could also describe the field of information security. In this column, while I’ll show some of the overlap between Texas Hold ‘em Poker and information security, I’ll mainly focus on the differences. Notably, it’s the difference in mindset (psychology) between the poker player and the security professional that is most relevant.
My first encounter with Texas Hold ‘em was in early 2002. I read an article in the Atlantic Monthly regarding poker tells. It was the first time I realized that poker was as much about people as it was about cards. After the article I forgot about the game. It wasn’t until a month or so ago that I started reading a few poker books, namely out of curiosity after watching a poker tournament broadcast on TV. During my studies I realized how the poker pieces fit together and poker’s relevance to information security. After recently reading a poker article in this month’s Trader Magazine (June / July 2008 – subscription required) comparing trading decisions to poker decisions, that I felt the topic should be explored here.
Information security professionals often discuss risk: “What is the probability that X event will occur and what are the consequences?” Understanding risk is one important tool in our toolbox to help us make correct decisions about where to allocate resources when determining how to protect our company. Whether it’s web application security, patching the infrastructure, corporate legal exposure or creating policies, we figure out quantitatively or qualitatively the biggest gaps and then seek to reduce the risk in our environment through the proper controls.
In Texas Hold ‘em, one determines the odds / probability that a particular outcome will result going forward when playing a particular hand. In short, determining the odds and probabilities of one’s hand is the same, metaphorically speaking, as determining the risk in one’s environment. This calculation helps one to proceed in the decision making process. This is where one may say that the mathematical perspectives between Texas Hold ‘em and Information Security overlap. It’s also where the similarities start to differ.
From the standpoint of psychology, information security professionals calculate risk to minimize it. So do poker players: a poker player wants to minimize their chip loss. Unlike information security professionals, poker players seek to maximize their gain by taking calculated risks once the odds are known. Poker players calculate the odds to determine if they might win the hand, if they should wager and how much they should wager. In other words, unlike information security professionals who are risk adverse and seek to minimize risk, poker players are calculated risk takers: the exact opposite.
The front office — traders, business executives — and individuals outside of an operational role, are generally considered risk takers. Whether it’s taking a risk in the stock market (traders) or leading a company to go green (business executive), these are decisions that weigh and model risks before taking a calculated course of action to try to maximize a return. Calculated risk taking is the cornerstone of all business.
Texas Hold ‘em poker allows the information security professional to understand the psychology of the executive and the psychology of calculated risk taking in a controlled, gaming environment. Poker allows the infosec professional to discover how a non-risk adverse personality thinks and experiences the world. In short, we can temporarily stand in their shoes. It’s my opinion that knowing the rational behind such a perspective will yield a better relationships between our field and the business units from both a communication perspective and a comradery perspective.
While this is a very high level analysis, future columns may deal with the psychology of poker and the psychology of information security in depth.
Suggestions for Learning Texas Hold ‘em Poker
Let me put on my risk adverse hat for a minute. I do not have much faith in online gambling. Too much can go wrong: odds can be fixed without one’s knowledge, sniffer programs exist that allow anyone at the electronic table to calculate other player’s gaming habits, etc.
Here are the list of books that helped me understand the underlying principles of poker:
- Quick and Easy Texas Hold’em – My first book. It gave me a very good high level understanding of the game and aspects of it I would not have considered otherwise.
- Texas Hold’em Odds and Probabilities: Limit, No-Limit, and Tournament Strategies – This book clearly explained how poker players calculate odds and probabilities to help make decisions when faced with a hand.
- The Theory of Poker – This is generally considered one of the best poker books ever written. It combines the strengths of the two books mentioned above and explains them in a deeper way.
I recommend downloading PokerTH from Sourceforge as well as playing Texas Hold ‘em Poker on Yahoo! Games should one want to learn to play. These two environments do not try to solicit one to play the game for money, which is important when learning. I also believe that card playing is like drinking alcohol: it’s fine in moderation but can lead to addiction and serious consequences. I do not condone gambling (which is different than recreational card playing).
I have often read that poker is a skill more than “gambling.” And after my research, I believe that’s true. I also believe that there is a big learning curve if one wants to properly play the game. Unfortunately, I do not have enough time to devote to practicing poker to further advance my card playing skills and must resort to being a spectator.