Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Kenneth F. Belva

Why Information Security Professionals Should Learn Texas Hold ‘em Poker

“Mathematics and psychology.” That’s poker (including Texas Hold ‘em) according to the legendary poker player Mike Caro. That could also describe the field of information security. In this column, while I’ll show some of the overlap between Texas Hold ‘em Poker and information security, I’ll mainly focus on the differences. Notably, it’s the difference in mindset (psychology) between the poker player and the security professional that is most relevant.

My first encounter with Texas Hold ‘em was in early 2002. I read an article in the Atlantic Monthly regarding poker tells. It was the first time I realized that poker was as much about people as it was about cards. After the article I forgot about the game. It wasn’t until a month or so ago that I started reading a few poker books, namely out of curiosity after watching a poker tournament broadcast on TV. During my studies I realized how the poker pieces fit together and poker’s relevance to information security. After recently reading a poker article in this month’s Trader Magazine (June / July 2008 – subscription required) comparing trading decisions to poker decisions, that I felt the topic should be explored here.

Information security professionals often discuss risk: “What is the probability that X event will occur and what are the consequences?” Understanding risk is one important tool in our toolbox to help us make correct decisions about where to allocate resources when determining how to protect our company. Whether it’s web application security, patching the infrastructure, corporate legal exposure or creating policies, we figure out quantitatively or qualitatively the biggest gaps and then seek to reduce the risk in our environment through the proper controls.

In Texas Hold ‘em, one determines the odds / probability that a particular outcome will result going forward when playing a particular hand. In short, determining the odds and probabilities of one’s hand is the same, metaphorically speaking, as determining the risk in one’s environment. This calculation helps one to proceed in the decision making process. This is where one may say that the mathematical perspectives between Texas Hold ‘em and Information Security overlap. It’s also where the similarities start to differ.

From the standpoint of psychology, information security professionals calculate risk to minimize it. So do poker players: a poker player wants to minimize their chip loss. Unlike information security professionals, poker players seek to maximize their gain by taking calculated risks once the odds are known. Poker players calculate the odds to determine if they might win the hand, if they should wager and how much they should wager. In other words, unlike information security professionals who are risk adverse and seek to minimize risk, poker players are calculated risk takers: the exact opposite.

The front office — traders, business executives — and individuals outside of an operational role, are generally considered risk takers. Whether it’s taking a risk in the stock market (traders) or leading a company to go green (business executive), these are decisions that weigh and model risks before taking a calculated course of action to try to maximize a return. Calculated risk taking is the cornerstone of all business.

Texas Hold ‘em poker allows the information security professional to understand the psychology of the executive and the psychology of calculated risk taking in a controlled, gaming environment. Poker allows the infosec professional to discover how a non-risk adverse personality thinks and experiences the world. In short, we can temporarily stand in their shoes. It’s my opinion that knowing the rational behind such a perspective will yield a better relationships between our field and the business units from both a communication perspective and a comradery perspective.

While this is a very high level analysis, future columns may deal with the psychology of poker and the psychology of information security in depth.

Suggestions for Learning Texas Hold ‘em Poker

Let me put on my risk adverse hat for a minute. I do not have much faith in online gambling. Too much can go wrong: odds can be fixed without one’s knowledge, sniffer programs exist that allow anyone at the electronic table to calculate other player’s gaming habits, etc.

Here are the list of books that helped me understand the underlying principles of poker:

I recommend downloading PokerTH from Sourceforge as well as playing Texas Hold ‘em Poker on Yahoo! Games should one want to learn to play. These two environments do not try to solicit one to play the game for money, which is important when learning. I also believe that card playing is like drinking alcohol: it’s fine in moderation but can lead to addiction and serious consequences. I do not condone gambling (which is different than recreational card playing).

I have often read that poker is a skill more than “gambling.” And after my research, I believe that’s true. I also believe that there is a big learning curve if one wants to properly play the game. Unfortunately, I do not have enough time to devote to practicing poker to further advance my card playing skills and must resort to being a spectator.

2 Comments

  1. Gary Jun 17, 2008 at 3:42 am | Permalink

    Speak for yourself, Kenneth. Not all infosec pros are “risk adverse” as you say (I believe you mean ‘risk averse’, by the way). Risk aware, maybe, cautious by nature but not risk averse. To get things done in The Real World, most of us realized early in our careers that outright principled risk aversion sets us against the rest f the organization. It’s the root cause of naive ISM functions commonly being known as The No Department.

    I’m not saying we should be The Yes Department either. Mostly I’d settle for a “Yes If …” or “No Unless …”, so long as it leads to incremental improvement and a greater level of knowledge, understanding and most of all accountability for our business management colleagues who are paid to make the difficult decisions. And there ARE situations in which it is totally appropriate to say No! NO! NO NO NO! The trick is to pick your battles, and beware the scars.

    G.

  2. Navin Jul 18, 2008 at 1:19 am | Permalink

    Agree with you Gary. I think that the business would actually like us to be calculated risk takers. Business leaders are all about taking calculated risks so that they can effectively execute on business strategy. Since we are best placed to make decisions regarding acceptable risk relating to information security, if our risk appetite is significantly different to that of the business, then we will either pull them back or pitch them forward. We’ve got to calibrate infosec risk against business operational risk, financial risk, etc. and make decisions regarding information security in the same vein.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*