# Assessing Risk? Ask a pigeon.

I was recently browsing, when I came upon an interesting article.

It was discussing the Monty Hall problem.

For those of you who don’t know, this problem is based on a US quiz show and has caused a huge amount of debate at various times in the past. The idea is as follows.

A contestant is asked to look at three closed doors and told behind two of them is a goat and behind the other, there is a sports car. Choose the correct door, you get the car, choose incorrectly and you go home with an old goat. (Please add your own joke here)

Monty Hall is the host of the show and he now asks the contestant to choose a door. The contestant chooses a door (1, 2, or 3) and at this point it now gets interesting. Monty (who knows which is the correct door for the car) opens one of the two un-chosen doors to reveal a goat. Monty now offers the contestant the opportunity to either remain with his chosen door or to switch to the other. The question is this – “should the contestant switch to the other door?” Once the final choice of door is made, the contestant’s door is opened to reveal his prize. (Note: The answer is at the bottom of this blog)

So what about the pigeons? Well recently, a couple of researchers trained pigeons to play the game (as a contestant!) – with a few obvious variations – (sports cars aren’t particularly attractive to a pigeon). Lo and behold, after a few days of trialling this, pigeons regularly outperformed humans in the selection of the correct door. Why? Well although it is difficult to ask them – it is believed pigeons work and learn from experience and assess probability differently to humans. In this case, humans get it wrong. Humans seem to over analyse and come to the wrong conclusion.

Humans do seem to be quite poor at assessing probabilities and hence risk. Only the other day I attended an event on Risk Methodologies and Corporate Governance at a leading business college and the speaker mentioned that checking the manufacturer logo on an aircraft engine was one of the things he did when he boarded, as this “was probably the riskiest journey he would take that day”. Really? Well being a bit of a pedant, I looked at the statistics for travel. Naturally there isn’t a definitive answer, it depends on what measure you select (distance travelled, number of journeys taken or hours spent on the transport), but in all three cases the highest risk for a journey is one taken by a motorcycle. In fact in two of the three measures, walking is actually far more of a risk than air travel if you work by statistics. Yet we continue to walk and ride motorbikes without much thought and concern ourselves over flights and engines.

I think of these things when I’m asked to do a security risk assessment. In PCI DSS, there is a requirement to carry out an annual risk assessment and working with clients I have seen a number of these in action. Although there are a number of methodologies out there, I am always interested to see where people focus their time and effort and it often seems to me that the issues which are raised and addressed in these assessments don’t always match the real experiences of what is happening out in the field. Partly this is due to a lack of information but also, I believe, because we humans sometimes don’t assess risks properly. So the next time you need to do a risk assessment – Call the pigeon!

PS: The answer to the Monty Hall Question is Yes, they should change their door choice – it doubles the contestant’s chances of winning!

6714

Member since

19 Mar 2009

Location

Blog posts

6,246

6,552

## More from Retired

#### European sovereignty shackled to its payments

This post is from a series of posts in the group:

### Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...