In every industry and in our daily life we face situations where we need to make decisions. In the cybersecurity industry this could be what kind of security awareness training needs to be run in the organization, when to perform penetration tests, or decide what type of password alternative authentication method to use, for example. Decision making is often a complex task, carrying uncertainty on the available information, and on the outcome of the decision. There are several statistical tools that can help, such as decision trees that provide a valuable way of describing the situation.
Before making any decision it is important to gain an understanding of the variables involved in the decision, meaning that we need to gather data in order to make a more conscious decision.
For example, consider a situation where you are thinking of going for a hike on the weekend. First, you should look at the weather conditions in the mountains before deciding on whether to go on or not, but there are other types of information you should also consider. This adds more complexity, since the decision maker needs to choose what type of data to collect. Gathering data can be very expensive and time consuming. Continuing with the example of the hike, you may need to gather more information on the area, buying maps (additional cost), or talking with locals (time consuming).
Value of Information (VOI) is a very useful tool that the decision maker can use to decide what type of information to gather. VOI can be seen as the amount of money the decision maker is willing to pay to gather new information. To compute VOI, we first need to compute the prior value of the information, that is given by what the decision maker already knows and believes, and then compare it with the posterior value of the information, that is computed when the variables to observe have been selected.
There are two main approaches the decision maker can adopt when it comes to data gathering. He could choose to have a static approach, and gather all the data at once, or a dynamic approach and start with gathering some data, and then given the outcome, decide if to proceed or not with additional data. The choice of the approach depends on the decision situation and on the data sources.
It is important to keep in mind that this analysis is done before any data has been observed and so we need to take good care of all the uncertainties involved. The decision maker should then be interested in choosing the information that gives the maximum average value.
Without going too much into the mathematics of the problem, what I want to stress is the great help that VOI can give to the decision maker by suggesting the best data gathering scheme, choosing only the data that are really worthwhile, and (if also needed) an indication on when and where it is best to collect the information. At Praxis Security Labs, we are always finding innovative solutions for our customers, and VOI is one approach we use to help them decide which solution will be the most beneficial.
To know more about what we do and how, schedule a meeting with our CEO, Kai Roer, or with our Director of Research, Thea Mannix.