Steve is shy - is Steve a librarian or a Salesperson?

Many people will assume that Steve is a librarian, however, there are way more salespeople than librarians - so statistically speaking, Steve is more likely to be a salesperson. This is called the “base rate” bias, and it’s when people ignore the bigger picture (base rate) and only focus on specific information. You see, statistics can be very misleading, and marketers do this all the time to lead us to their “preferred” conclusion. It is also why we stereotype and say that librarians are shy :)

So what does this have to do with Cyber Security?

Let’s say we start a new anti-virus startup with the latest Buzz word technology. We want to be better at detection than any other company, so we set a goal to detect 100% of the malware. Yeah, 100%!!! Not less. And we don’t want to lie about it. So how can we claim that? Easy… we mark every process on our network as a virus. Yes, we will get many false alerts, but we will also correctly identify all the malware. Ok, this was an extreme example, but vendors focus on marketing their “success” level in the real world, but what about their failure rate? Do they provide us statistics on that? At the end of the day, we will be dealing with both. We buy the solution with the highest detection rates, and then we go and buy the solution that can analyze and remove false positives, and then we outsource it to someone else to manage :)

So if Steve ever throws statistics at you ask him about the base rate, regardless if Steve is a librarian or salesperson :)

Do you have other examples of base rate fallacy?