# The Flaw of Averages in Cyber Security

Sam Savage, PhD, is the founder of ProbabilityManagement.org, author of *The Flaw of Averages: Why We Underestimate Risk in the Face of Uncertainty*, and consulting professor at Stanford. © Copyright 2015, Sam L. Savage.

The Flaw of Averages is a set of systematic errors that occur when uncertain assumptions are replaced with single “average” numbers. The most serious of these, known as Jensen’s Inequality by mathematicians, states roughly that “plans based on average assumptions are wrong on average.” The essence of cybersecurity is the effective mitigation of uncertain adverse outcomes. I will describe two variants of the Flaw of Averages in dealing with the uncertainties of a hypothetical botnet threat. I will also show how the emerging discipline of probability management can unambiguously communicate and calculate these uncertainties.