Cybersecurity Canon Candidate Book Review: “Thinking in Bets: Making Smarter Decisions When You Don’t Have All the Facts” (2018) by Annie Duke

Posted: November 2, 2020

Book written by Annie Duke

Book review by Bill Yurek



Right up front, Thinking in Bets is not a cybersecurity book, per se.  The word Cyber doesn’t show up in there at all, and I’m pretty sure you won’t even find the word Computer.  

So why then did I read it for the Cybersecurity Canon?  Well, I’m working with colleagues on a process for assessing certain cyber vulnerabilities and their resultant risks.  Along the way, we had more than one senior executive demonstrate views of risk that were based more on personal belief and a flawed understanding of company history than on actual risk principles.  An exasperated colleague said “I just wish I could get them to read something like Annie Duke’s book.”  I asked “who’s Annie Dukes.”  And here we are.

Duke was studying for a doctorate in cognitive psychology when she was sidelined by life events, and decided to turn that study of human thought into a very successful poker career, winning $4 million before retiring.  She has since parlayed the combination of her studies and her poker career into careers as an author and corporate business consultant, where she extends her lessons from the betting table to daily decision making in business.  I had hoped reading her book would give me some good ammo to use when debating risk processes and decisions. After all, (and Duke says this many times), all decisions are bets. You are betting that your decision will yield a result more favorable to you than the alternative decisions.  

Unfortunately, although I did get some solid insight into some aspects of risk and decision-making, I didn’t get the knockout punch, convince-that-exec with your reasoning, information I sought.  Perhaps in time a real-life situation will give me the opportunity to make better use of Duke’s ideas in that way, but I haven’t encountered one yet.

What are some of the points I think most fit into what I was seeking?  What things fit into the concept of cyber risk assessments?  Here they are:

-    A bad outcome doesn’t mean there was a bad decision.  Every decision is a bet, a bet made based on incomplete information.  If you lose the bet, it doesn’t mean your decision was wrong. The example Duke cites that stuck with me was that if you make a bet based on a 60% chance that you’ll win, but instead you lose, it doesn’t mean making that bet was wrong.  40% still happens a lot of the time.  
-    We make cyber risk decisions based on imperfect or incomplete information all the time. If a risk we didn’t plan for is realized, it doesn’t necessarily mean that our decision not to mitigate that risk was wrong. It may just mean that the dice didn’t roll our way, and we were hit by that one threat that we never saw coming.  Luck is one of the great unknowns in a risk calculation.
-    When you are convinced your view of things is the only correct one, ask yourself “what is the likelihood that everyone else is an idiot?”  In the corporate world we are taught to stick by our guns, but our unfailing belief in ourselves makes it unlikely we will consider all of the relevant information.  Being smart makes it worse, because the smarter you are the better you are at constructing a narrative that supports your beliefs, rationalizing data to fit your position.  When you are wrong you view it as a product of bad luck or outside factors, but when you are right you attribute it to your smart decision-making.  How many times in your organization have you seen a senior executive make a decision contrary to all other opinions because he/she was sure that his/her more extensive skills and experience justified doing so?
-    You should join groups with participants who have had similar experiences and expertise who can critique your choices, provide more information, and identify the biases you don’t see in yourself.  This speaks for the use of groups such as cyber risk committees, cross-functional assessment teams and the like.

These are not the only points Duke makes, but they are the ones that stuck with me. The central message throughout the book is that you shouldn’t judge the quality of a decision by the quality of the outcome. I was once told that if you learn and retain one good thing from each article or book you read, you are doing well.  That’s my one thing.

One final downside to Thinking in Bets:  Duke presents some great ideas, often in interesting ways, but her book is just TOO LONG.  The book could be shortened by about 75% and still convey the points she makes.  It would make for a solid article in a business magazine.  The main concepts are quickly explained, and then what takes over is repetition of the same point, phrased in different ways.  I thought some of the early points were interesting and helpful, but when I thought I could, I read through the pages as quickly as I could.   

This is the format guide for writing book reviews for the Cybersecurity Canon Project. It contains the names of key elements to include in your review, the format for those key elements, and examples of what a typical entry would look like.

Use this format. Write your book review in a text document, a Microsoft Word Document, or a Google Docs document and send it to Helen Patton:

You will hear from a Canon Committee member within five business days that they received the review.