Case Study
Think Like a Poker Player – Don’t Gamble With Your Cybersecurity
Liv Boeree is one of the most successful female poker players in history, having scooped up $3.5m in tournament winnings during a 15-year career. She tells Robert Scammell why businesses should think more like a poker player when making cybersecurity decisions, and how the odds are not in the favour of those who fail to take the threat seriously.
Professional poker players don’t think like most people. To be successful in the game one must maintain focus for hours on end, calculating the likely success of every decision all while giving nothing away to opponents. In this environment there’s no space for emotion and, contrary to Hollywood depictions, ignoring the numbers for a ‘gut feeling’ is a sure-fire way to spew off your chips.
While poker might be a game with a fixed objective – that is, to accrue your opponent’s chips – it has many crossovers with the business world. Yet all too often, business leaders fall into the trap of relying on instinct over information.
“I think poker is a great proxy for many things in life,” says British poker player Liv Boeree, who has European Poker Tour and World Series of Poker titles to her name.
“The willingness to think in a quantified way is the mark of a good decision maker – whatever you're doing.”
“It's a game where you are trying to outwit your opponents, and you've all sort of got similar-ish objectives. And that's what business is, right? You're trying to outsmart your opponents to win the biggest share of the prize. And so I think there's an immense amount of crossover.”
Boeree concedes that there are more variables in the business world than at the poker table. But ultimately, she says, we’re all “governed by the laws of chance and statistics”.
Business leaders that understand this paradigm and use it to inform their decision-making process are giving themselves a competitive advantage.
“The willingness to think in a quantified way, to think in percentages and odds, is the mark of a good decision-maker – whatever you're doing,” Boeree tells Verdict Magazine.
Quantifying cyber risk
Such a mentality can be valuable across all areas of business, but is particularly pertinent when considering cybersecurity. It is all too easy for businesses to underestimate the cyber threat, taking an ‘it won’t happen to me’ approach.
But a report published by secure messaging and collaboration platform Wire, titled ‘Odds of a Bad Bet’, lays bare how the odds are stacked against businesses that take a lax approach to cybersecurity.
According to Wire, the odds of a business avoiding a malware attack in the next year are as “unlikely as pulling the ace of spades from a shuffled deck on one try” – or 2%.
Boeree, who collaborated with Wire on the report, found this statistic striking and attributes it to the low cost for a cybercriminal to fire out malware into the wild, be it via malicious emails or dangerous websites.
“I think that was the one that really made me sit up and listen and be like oh, wow, this is a problem,” she says.
Ravaged by ransomware
In 2019, a spate of ransomware attacks crippled numerous US cities, including Baltimore, Maryland; Greenville, North Carolina and Texas.
The estimated cost of these attacks spiralled into the tens of millions and has likely exceeded $100m.
According to Wire, the odds of your business suffering a “costly ransomware attack are the same as a hurricane hitting Florida next year”.
Similarly, a business is “over ten times more likely to suffer a week-long downtime from a ransomware attack than you are to suffer a house fire”.
By failing to make the necessary cybersecurity investments, in addition to upholding a robust cybersecurity culture, businesses are gambling with their very survival.
“People often use intuition as an excuse to be intellectually lazy.”
Those that fall victim to a cyberattack can find themselves crippled not just by operational losses, but also reputational damage and regulatory fines.
These factors have lead Wire to conclude that “the average ROI [return on investment] of cybersecurity intelligence investment is twice as high as that of the S&P 500”.
Knowing when to rely on your gut
Businesses would do well to take on board these statistics and approach cybersecurity in a quantified way, says Boeree.
Her advice to decision makers is to “know when to rely on your intuition and when not to”.
She says that “people often use intuition as an excuse to be intellectually lazy” and avoid properly weighing up the outcomes and carrying out a cost-benefit analysis.
“But really your gut is just best suited for things that are like life or death situations. A car swerves into your lane – if you try and think about it, you will die. If you just let your instincts take over they'll probably do a better job.”
She continues: “The general rule of thumb these days seems to be – at least if the internet is anything to go by – is that your intuition is this magical thing, that if in doubt, you should just always trust it. And poker has shown me very clearly that that's not necessarily the case.”
At the poker table, Boeree has made “mathematically erroneous calls” because her gut told her the other player was bluffing.
“My gut was completely wrong. And yes, there's been many times when it was right, but it's not perfect,” she says. “And I think this applies to business because it's very, very rare – particularly in the day and age of data science [where] we have so much information and data at our fingertips and analytical tools – it's very unlikely that your intuitions are going to be able to outperform those.”
“The point is that you can't expect your instincts to be better calibrated than what the data actually says.”
Back to top