• United States



by Sandy Kendall

How Do You Figure the Odds?

Apr 21, 20032 mins
CSO and CISOData and Information Security

Its bad enough when security is breached in any of our systems, but when that breach is captured live on national TV, it really makes you shudder. Last weeks incident at Comiskey Park (OK, U.S. Cellular Field) in Chicago, when a fan jumped onto the field and tackled the first base umpire, was surely a big shudder for Major League Baseball, and many others.

And the shuddering creates a ripple effect. While this particular event didnt lead to serious physical harm of the first base ump, it will no doubt, because of its public viewing and repeated replaying, lead to some security changes. (Also because, bizarrely, a similar incident occurred at Comiskey Park last fall.)

A colleague here at CSO went to a ballgame at Fenway Park the very next night, and told us that he and a friend got to talking about the event and then, during pitching changes, they made some rough calculations about the odds of such a thing happening. We did the math, he said. There are 162 games and 30 teams, so that equals 2430 games. Multiply that by, say, 10 years and thats 24,300 games. We guessed an average of 25,000 fans per game, so we squared 25,000 (for ease) and it comes out to 625,000,000 fans over 10 years. Two incidents out of 625,000,000 fans means your threat pool is 1 in 300,000,000 fans will do something like this. Or you could say, given 2 years and 2 incidents, its likely to happen once a year (1 in 2,430 risk). But since it has only happened twice in 10 years, you could also position the risk as 1 in 10,215. At any rate, this isnt to minimize the effect or suggest the incident shouldnt be treated seriously, but rather to demonstrate how hard the security job isboth in determining risk and in planning for a threat thats not bloody likely.

Obviously my colleagues reckonings are less than scientific, but they illustrate the point: How do you prepare and assign resources to prepare for an event that is not bloody likely? Even assuming all the necessary metrics are in hand, how do you select the right permutation for analyzing them? And how do you balance that with intangibles such as public perception? In short, how do you decide which threat to focus on? Tell us your strategy.