The Calculus of Risk, Tech Competence Edition

Remember the calculus of risk from torts?

P is the probability of loss. L is the magnitude of the loss. B is the cost of prevention, or the burden. If PL is greater than B, as shown above, you have a duty of reasonable care and you have to take steps calculated to prevent the harm. If you don’t, you are negligent.

Lots of lawyers seem to put computer security on their list of things to do someday, if they ever have some time (yeah right). That’s not good enough. I want to convince you that it is critical for you to pay attention to computer security now.

The calculus of risk is from torts, not ethics, but it is a useful-if-clunky way to look at anything that involves a duty of reasonable care. Like Rule 1.6(c), for example:

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

Reasonable efforts is a duty of care. So let’s see how the calculus of risk plays out when we apply it to computer security.

B. For cost, I’ll use the numbers from my security guide. The cost of the first three security tips is close to zero. The cost of the fourth is less than $50 per year.

L. The harm they prevent is substantial. Let’s say you use the same password for your email and bank account that you used for one of the 420,000 websites compromised by Russian hackers in 2014. And let’s say those hackers decided to do something other than use your email account to send spam. With very little effort, they could empty your bank account and wipe the hard drives of your computers and devices. How much would that set you back? $1,000? $10,000? $100,000? Let’s call it $1,000, which is probably way too low.

P. How likely is it that the loss will occur? Well, just going by the 1.2 billion passwords those Russian hackers are sitting on, let’s ballpark it at around 17% (1.2 billion is about 17% of the world’s current population of over 7 billion).

Let’s plug in those numbers.

17% × $1,000 = $170

$170 > $50

If you have $1,000 in your bank account and the likelihood of those accounts getting emptied is 17%, then PL is $170. In other words, if it would cost you less than $170 to avoid the harm, you are negligent if you don’t. Reasonable efforts in this scenario means $170 or less.

Of course, you probably have more than $1,000 in your bank accounts (including your trust account) and the probability you will get hacked is much greater than 17%,1 which means you really need to implement some basic security, like using good passwords, encrypting your files, take care when using Wi-Fi, and enabling two-factor authentication.

  1. In 2011 one study found it was a <a href="">statistical certainty</a>. 

1 Comment

  1. Avatar Brad Rosen says:

    Judge Learned Hand, we hardly knew ye, but in probability he likely would have recommended you purchase Sam’s security guide. (see )

Leave a Reply