Survivorship Bias

Survivorship bias: It's not the certificates and keys you can see, it's the ones that you can't that will cause you the challenges

In 1943 the US Air Force tasked Abraham Wald with a problem. Too many of their planes were being shot down so they wanted to add extra armour to the vulnerable parts of the planes. Too much armour would make the planes too heavy to fly properly, so they couldn’t add extra armour over the entire plane. They asked Wald to tell them how much extra armour to add to the parts of the planes that were being hit most often.

To help Wald they had collected statistics on the bullet holes in planes returning from combat. They presented him the statistics of where on the plane most bullet holes were recorded:

After a short while, Wald supplied his findings and recommendations:

The answer Wald came up with surprised them. He instructed the Air Force to put the extra armour not where the bullet holes were, but where they weren’t – on the engines! And how did Wald come up with this answer. Simple. He considered the missing bullet holes.  

The Air Force had presented him with statistics on planes that had returned safely from combat. Wald recognized this as biased sample that told a distorted and incomplete story. There were also a lot of planes at the bottom of the ocean, and Wald correctly guessed that these planes were full of bullet holes in the engines.

The Air Force followed his advice and the results were stunning. Immediately more planes started returning safely from combat saving the lives of countless pilots and crew members.

Wald correctly identified this as not so much a math problem but as a problem of survivorship bias, and once you understand this concept you start seeing it everywhere. Survivorship bias tells a lot of distorted and incomplete stories and looking for the missing bullet holes, as Wald had done, can save you from making bad decisions based on inaccurate and incomplete information.

Your Cryptography is just like this story as most folks focus on the certificates and keys they think they know they have and in most cases struggle to manage them, however, it is not the certificates and keys that you can see and know about that will harm your company, just like the story of Abraham Wald and the Survivorship bias, it’s the ones that you do not know about and cannot see that will ultimately cause you failure.

Reinstate digital trust, protect your organisation from operational and cyber risk