Some Research Comparing Experts and Algorithms

Some of this research started in a very different field and during a time before the concept of cybersecurity had even been imagined. As early as the 1950s, the American psychologist Paul Meehl proposed an idea that shook up the field of clinical psychology. He claimed that expert‐based clinical judgments about psychiatric patients might not be as good as simple statistical models. Meehl collected a large set of studies showing that statistical models based on medical records produced diagnoses and prognoses that at least matched but usually beat the judgment of trained clinicians. Meehl was able to show, for example, that personality tests were better than experts at predicting several behaviors regarding neurological disorders, juvenile delinquency, and addictive behaviors.

In 1954, he wrote the seminal book on the subject, Clinical versus Statistical Prediction. At the time of this initial research, he could already cite over 90 studies that challenged the assumed authority of experts.⁷ Researchers such as Robyn Dawes (1936–2010) of the University of Michigan were inspired to build on this body of research, and every new study that was generated only confirmed Meehl's findings, even as they expanded the scope to include experts outside of clinical diagnosis.^8,9,10 The library of studies they compiled included findings predicting the GPAs of college freshmen and medical students, criminal recidivism, sporting events, and medical prognoses. After the studies had grown significantly in number, Meehl felt forced to conclude the following:

There is no controversy in social science which shows such a large body of qualitatively diverse studies coming out so uniformly in the same direction as this one. When you're pushing 90 investigations [now over 150], predicting everything from the outcome of football games to the diagnosis of liver disease and when you can hardly come up with a half dozen studies showing even a weak tendency in favor of the [human expert], it is time to draw a practical conclusion.¹¹

The methods used in this research were straightforward. Ask experts to predict some objectively verifiable outcomes—such as whether a new business will fail or the effectiveness of chemotherapy for a cancer patient—then predict the same thing using an algorithm based only on historical data, then lastly track both over a large number of predictions, and see which method performs better.

Such conclusive findings as those of Meehl and his colleagues inevitably draw the interest of other researchers looking for similar phenomena in other fields. In one of the more recent examples, a study of oil exploration firms shows a strong relationship between the use of quantitative methods (including Monte Carlo simulations) to assess risks and a firm's financial performance.^12,13 NASA has been applying Monte Carlo simulations based on historical data along with softer methods (based on subjective scales) to assess the risks of cost and schedule overruns and mission failures. The cost and schedule estimates from the quantitative methods had, on average, less than half the error of scientists and engineers using nonquantitative methods.¹⁴

In perhaps the most ambitious study of this kind, Philip Tetlock conducted an experiment over a 20‐year period and published it in his book Expert Political Judgment: How Good Is It? The title indicates a particular focus in politics, but he interpreted it broadly to include economics, military affairs, technology, and more. He tracked the probabilities of world events assigned by a total of 284 experts in their respective fields. By the conclusion of the study he had collected over 82,000 individual forecasts.¹⁵ (This puts Tetlock's data equal to or in excess of the largest phase III clinical drug trials published in scientific journals.) Based on this data, Tetlock was willing to make even stronger statements than Meehl and his colleagues:

It is impossible to find any domain in which humans clearly outperformed crude extrapolation algorithms, less still sophisticated statistical ones.

Why Does This Happen?

Robyn Dawes, Meehl's colleague whom we mentioned earlier, makes the case that poor performance by humans in forecasting and estimation tasks is partly due to inaccurate interpretations of probabilistic feedback.¹⁶ These researchers came to view the expert as a kind of imperfect mediator of input and output. Very few experts measure their performance over time, and they tend to summarize their memories with selected anecdotes. The expert then makes rough inferences from this selective memory, and according to the research published by Dawes, this can lead to an “illusion of learning.” That is, experts can interpret experience alone as evidence of performance. They believe years of experience should result in improved performance, so they assume that it does. But it turns out that we cannot take learning for granted no matter how many years of experience are gained.

Tetlock proposed in his book that “human performance suffers because we are, deep down, deterministic thinkers with an aversion to probabilistic strategies that accept the inevitability of error.” The math of dealing with error and uncertainty is the math of probabilities. If we can't get that math right in our heads, then we will have a lot of difficulty with probabilistic forecasting problems.

For example, if someone was not good at simple arithmetic, we wouldn't be surprised if that person was not very good at estimating, say, the costs and duration of a large, complex engineering project with many interrelated elements. Surely a person skilled at those estimates would know how to multiply the number of people involved in a task, their cost of labor, and the duration of the task in order to estimate the task's labor costs. He or she would also know how to total the costs of the separate tasks along with other project costs (e.g., materials, licenses, and equipment rental).

When an expert says that, based on some experience and data, one threat is a bigger risk than another, they are doing a kind of “mental math” whether intentional or not. We aren't saying they are literally trying to add numbers in their heads; rather, they are following an instinct for something that in many cases really could be computed. How well our intuition matches the math has also been measured by an impressive array of research including that of Daniel Kahneman, winner of the 2002 Nobel Prize in Economic Sciences, and his colleague Amos Tversky. They showed how even statistically sophisticated researchers will tend to greatly misestimate the odds that new data will confirm or contradict a previous experiment of a given sample size,¹⁷ and will incorrectly estimate expected variations in observations based on sample size.¹⁸ (This was briefly mentioned in Chapter 2.)

By “statistically sophisticated,” we mean that the subjects of this research were actual scientists published in respected, peer‐reviewed journals. As Kahneman and Tversky noted in this research, “It's not just that they should know the math, they did know the math.” Even for those who know the math, when they resort to their intuition, their intuition is wrong. For all of us, including trained scientists, various recurring—but avoidable—mathematical errors are just one of the challenges of trying to do math in our heads.

Even though all of this research is borrowed from fields outside of cybersecurity, the breadth of these findings in so many areas seems to demonstrate that they are fundamental and apply to any area of human judgment, including cybersecurity. But if the variety of findings in so many areas doesn't convince us that these same issues apply to cybersecurity, consider another argument made by Kahneman and another researcher in decision psychology, Gary Klein.

Kahneman and Klein point out three necessary conditions for experience to result in learning. First, there must be consistent feedback. The person must be given the information about past performance regularly, not rarely. Second, the feedback must be relatively immediate. If a person makes several forecasts for events that may happen years from now (which is often the case in a cost‐benefit analysis for some new investment in, say, technology, infrastructure, or new products), the delay in the feedback will make learning more difficult. Third, the feedback should be unambiguous. If the person simply says a cybersecurity project will be a “success” or that risk will be reduced, that may be open to interpretation. And when our past performance is left to interpretation, we are likely to interpret data in a way that would be flattering to ourselves. Unless we get regular, immediate, and unambiguous feedback, we are likely to have selective memory and interpret our experiences in the most flattering way.

So the uncomfortable question cybersecurity risk analysts must ask themselves is this: Does the experience of the cybersecurity expert actually meet those requirements? Do cybersecurity experts actually record all their estimates of probability and impact and then compare them to observation? Even assuming they did that, how long would they typically have to wait before they learned whether their estimate was correct? Even if estimates are recorded and we wait long enough for the event to occur, was it clear whether the original estimate was correct or the discrete event occurred or not? For example, if we say we lost reputation from a breach, how do we know that, and how did we actually validate—even approximately—the magnitude of the event as originally estimated?

Even if judgments of cybersecurity risk assessments were unambiguous and faithfully recorded, the delay of the feedback alone presents a major obstacle to learning. For example, suppose we have an event we assess as having a 10% chance of occurrence per year. We are considering a control to reduce this risk but have uncertainty about the control. If this control works, it doesn't eliminate the chance of the event, but it should reduce the annual likelihood of this event by half. Let's say the estimates so far are based on a lot of industry data except for whether the control will even work at all in our environment. To keep it simple, we'll assume that it either works or doesn't and we judge that there is a 50/50 chance the control will work and reduce the chance of occurrence by half (down to 5%). If it doesn't work, then the annual likelihood is still 10%.

If we observe this system long enough, we can update our judgment about whether the control is working. If we could observe this system over a very long time and maybe in a large number of organizations, we could detect a difference between a 10% and 5% annual probability faster. But suppose we limit our observations to the experience of one manager or risk analyst in one organization. If it doesn't happen in the first five years, that tells us very little about whether the control is working. That could easily be the same outcome if the control were effective or if the control were no better than wearing your lucky socks to work. In Chapter 8, we discuss Bayesian methods, which could be applied to solve this. For now, we'll just tell you the answer. If we don't observe the event after eight years, we can adjust our probability that the control is effective from 50% to just 60%. In other words, it could still easily be the case that the control was ineffective but we were just a bit lucky. If we waited 16 years and the event has not yet occurred, we would still only be 70% certain the control is working, and if we waited 30 years, it rises to about 84%. Even to learn at this slow rate assumes the original forecast was recalled accurately. How many of your forecasts from five years ago do you recall accurately today? How many did you even document?

Risk management also lacks another required component for learning. Kahneman and others pointed out that learning must be based on a “high validity” environment. This refers to the predictability of a system. In an environment where the outcomes are mostly random, learning becomes much more difficult. For example, you can watch a roulette table or coin flipping for many decades and not get any better at predicting outcomes. This would be a “low validity” environment. On the other hand, if you are watching moves in a chess game for that long, you will probably get better at estimating who will win well before the game ends. Risk management, by its nature, involves randomness and, consequently, it becomes very hard to learn from experience.

In cybersecurity, like many other fields, we cannot assume learning happens without deliberate processes to make sure that is the case. These findings are obvious to researchers such as Meehl:

The human brain is a relatively inefficient device for noticing, selecting, categorizing, recording, retaining, retrieving, and manipulating information for inferential purposes. Why should we be surprised at this?¹⁹

This does not mean that experts know very little about their fields. They have a lot of detailed technical knowledge. The performance of experts in the research mentioned so far relates only to the estimation of quantities based on subjective inferences from recalled experience. The problem is that experts often seem to conflate the knowledge of a vast set of details in their field with their skill at forecasting uncertain future events. A cybersecurity expert can become well versed in technical details such as conducting penetration tests, using encryption tools, setting up firewalls, using various types of cybersecurity software, and much more—and still be unable to realistically assess their own skills at forecasting future events.

The Subjective Probability Component

A critical component of risk analysis is cybersecurity experts’ assessment of the likelihoods of events, such as cybersecurity breaches, and the potential costs if those events occur. Whether they are using explicit probabilities or nonquantitative verbal scales, they need to judge whether one kind of threat is more likely than another. Since we will probably have to rely on the expert at some level for this task, we need to consider how the experts’ skill at this task can be measured and what those measurements show.

This is a well‐documented area of research based on recorded judgments of experts and nonexperts in many different fields. Every study takes a similar approach. Large numbers of estimates are collected from individuals and then compared to observed outcomes. The findings are conclusive and repeated by every study that looks at this issue:

• Without training or other controls, almost all of us would assign probabilities that deviate significantly from observed outcomes (e.g., of all the times we say we are 90% confident, the predicted outcome happens much less frequently than 90% of the time).
• There are methods, including training, that greatly improve the ability of experts to estimate subjective probabilities (e.g., when they say they are 90% confident, they turn out to be right about 90% of the time).

One example related to research in a different profession, that of corporate chief financial officer (CFO), illustrates the typical findings of these studies. Researchers in a 2010 study at the National Bureau of Economic Research asked CFOs to provide estimates of the annual returns on the S&P 500.²¹ These estimates were in the form of ranges—given as a lower bound and an upper bound—of values that were wide enough that the CFO believed they had an 80% chance that the range would contain the correct answer. We can refer to these as 80% confidence intervals (CI).²² By simply waiting, it was easy to confirm what the actual return was over a given period of time. Although the CFOs were extremely experienced and well educated for their positions, their 80% CIs actually contained the true answers only 33% of the time. They believed that they provided ranges that would not contain the correct answer only 20% of the time, but in fact the answers were outside of their bounds 67% of the time. This is a rate of “surprise” much higher than they expected.

This is a measure of overconfidence. The confidence of experts, in this case expressed in the width of an 80% CI, contained the correct answer much less often than the experts expected. In other words, they did not have the 80% chance they thought they had of the stated interval containing the eventually observed value. Unfortunately, this phenomenon is not limited to CFOs. Several studies over the last several decades confirm that overconfidence is a pervasive characteristic of nearly all of us. Calibrated probability assessments have been an area of investigation since the 1970s by a large body of published research, led at first by Daniel Kahneman and Amos Tversky.²³ Their research showed that almost all people in many different professions are about as overconfident as the previously mentioned CFOs.

This research is not purely academic. It affects real‐world judgments and affects actions taken to solve real problems. One of the authors (Hubbard) has had the opportunity over the last 20 years to collect one of the largest data sets regarding this phenomenon. Hubbard has tested and trained over 2,000 individuals from several different industries, professions, and levels of management. As mentioned earlier, over 150 of the subjects in these studies were specifically in the field of cybersecurity at the time of this writing.

To measure how well experts assigned subjective probabilities, Hubbard gave them a series of tests similar to those in most other studies. In an initial benchmark test (conducted before any training meant to improve estimation skills), Hubbard would ask the participants their 90% CIs for estimates of general trivia knowledge (e.g., when was Isaac Newton born, how many meters tall is the Empire State Building, etc.). Most individuals provided ranges that only contained about 40% to 50% of the correct answers, similar to what the previously mentioned researchers had observed.²⁴

Overconfidence is also observed when applying probabilities to discrete events—such as whether a cyberattack will result in a major data breach this year. Of course, the outcome of a single event is generally not a good indicator of how realistic a previously stated probability happens to be. If we say that an event is 25% likely to occur by the end of next year, whether it happens or not is not proof the probability was unrealistic. But if we track a number of experts making many probability assessments, then we can compare expectations to observations in a more valid manner.

Suppose, for example, a group of experts gives 1,000 estimates of probabilities of specifically defined events. These could be data breaches of a certain minimum size occurring during a defined period, the probability of loss greater than $10 million, and so on. Suppose for 100 of those estimates they said they were 90% certain of the outcome. Then the stated outcome should have happened about 90 out of 100 times. We would expect some variation just due to random luck, but we can compute (as we will show later) how much random error is acceptable. On the other hand, if they are right only 65 out of 100 times they said they were 90% confident, that result is a lot worse than what we would expect by just bad luck (if only bad luck were at play, there is only a 1 in 68.9 billion chance that they would be wrong that often). So the much more likely explanation would be that the experts are simply applying far too high a probability to events they should be less certain about. Fortunately, other researchers have run experiments showing that experts can be trained to be better at estimating probabilities by applying a battery of estimation tests, giving the experts a lot of quick, repetitive, clear feedback along with training in techniques for improving subjective probabilities.²⁵ In short, researchers discovered that assessing uncertainty is a general skill that can be taught with a measurable improvement. That is, when calibrated cybersecurity experts say they are 85% confident that a major data breach will occur in their industry in the next 12 months, there really is an 85% chance it will occur.

Again, the breadth of different people that have been measured on this “component” includes not just CFOs but also physicians, engineers, intelligence analysts, students, scientists, project managers, and many more. So it is reasonable to say that these observations probably apply to everyone. Remember, just in case someone was to try to make the case that cybersecurity experts were different from all the other fields that have been measured, Hubbard's data does include over 150 cybersecurity experts from many industries. They do about as poorly as any other profession on the first test. We also observe that they improve dramatically during the training, just like those in every other field Hubbard has tested, and about the same share succeed in becoming calibrated by the end of the training (85% to 90% of experts become calibrated).

In Chapter 7, we will describe this training and its effects in more detail. We will explain how you can calibrate yourself with some practice and how you can measure your performance over time. This skill will be a starting point for developing more advanced quantitative models.

The Expert Consistency Component

Ultimately, testing subjective probabilities for calibration relative to overconfidence means waiting for observed outcomes to materialize. But another type of calibration can be observed very quickly and easily without necessarily waiting for the predicted outcomes to happen or not: we can measure the consistency of the expert. That is, independent of whether the judgment was accurate, we should also expect the expert to give the same answer consistently when given the exact same situation. Of course, consistent answers do not mean the answers are any good, but we know that two contradictory answers cannot both be correct. The amount of inconsistency must be at least a lower bound for estimation error. In one extreme, if “experts” give wildly different answers every time they look at the exact same issue, then this would be indistinguishable from someone who ignores the information they are given and randomly picks estimates from slips of paper in a bowl. We don't have to wait for predicted events to occur in order to evaluate the consistency of that expert. Likewise, even if researchers are perfectly consistent with their own previous judgments but give very different answers than other experts, again, we at least know they can't all be right (of course they could all be wrong). Fortunately, these components of expert performance have also been measured at length. Researchers in the 1960s have given names to both of these measures of consistency:²⁶

• Stability: an expert's agreement with their own previous judgment of the identical situation (same expert, same data, different time);
• Consensus: an expert's agreement with other experts (same data, different experts).

In more recent work, Daniel Kahneman summarized research in this area in his book Noise: A Flaw in Human Judgment.²⁷ He refers to the lack of stability as “occasion noise,” and he splits the lack of consensus into “level noise” and “pattern noise,” but otherwise the concepts and findings are consistent with the earlier research.

In every field tested so far, it has been observed that experts are highly inconsistent—both in stability and consensus—in virtually every area of judgment. This inconsistency applies whether it relates to project managers estimating costs, physicians diagnosing patients, or cybersecurity experts evaluating risks.

In an early twentieth‐century example of this expert consistency measurement, researchers gave several radiologists a stack of 96 x‐rays of stomach ulcers.²⁸ Each radiologist was asked to judge whether the ulcer was a malignant tumor. A week later the same radiologists were given another set of 96 x‐rays to assess. Unbeknownst to the radiologists, they were actually the same x‐rays as before but in a different order. Researchers found that radiologists changed their answers 23% of the time.

If we ask an expert in such a situation whether the arbitrary order of the list should have any bearing on their judgments, they would all agree that it should not. And yet the research tells us that the arbitrary order of lists like this actually does affect their judgments.

A particular source of inconsistency appears in another common type of judgment. When estimating numbers, the expert can be influenced by an effect known as “anchoring.” Simply thinking of one number affects the value of a subsequent estimate even on a completely unrelated issue. Researchers showed how using arbitrary values, such as one's Social Security number or a randomly generated number, affects subsequent estimates of, for instance, the number of doctors in an area or the price of things on eBay.^29,30

Why shouldn't random, irrelevant factors like anchoring also affect the judgment of cybersecurity experts? We've had a lot of opportunity to gather information on that point, and a summary of this data follows:

• In multiple separate projects by the time of this writing, Hubbard and his staff calibrated over 150 cybersecurity experts from over 20 organizations and asked them to estimate the probabilities of various types of cybersecurity events. The projects were for clients from six different industries: oil and gas, banking, higher education, insurance, retail, and health care. Each of these experts had previously completed calibrated probability‐assessment training.
• Each expert was given some descriptive data for 80 to 200 different systems or threat scenarios in the organization. The types of scenarios and the data provided varied among the clients, but it could include information about the type of data at risk, the operating systems involved, types of existing controls, the types and numbers of users, and so on.
• For each of these systems, scenarios, or controls, each expert was asked to assess the probabilities of up to six different types of events including confidentiality breaches, unauthorized editing of data, unauthorized transfer of funds, theft of intellectual property, availability outages, and how much a control might reduce a likelihood or impact.
• In total, for all of the experts surveyed assessing between two and six probabilities for each of 80 to 200 situations, we have more than 60,000 individual assessments of probabilities.

What the experts were not told at the time they were providing these estimates is that the list they were given included some duplicate pairs of scenarios. In other words, the data provided for the system in the ninth row of the list might be identical to the data provided in the ninety‐fifth row, the eleventh might be the same as the eighty‐first, and so on. Each expert had several duplicates in the list, totaling over 3,700 duplicate pairs by the time of this writing.

To measure inconsistency, we simply needed to compare the first estimate the expert provided with their second estimate for the identical scenario. Figure 4.1 shows how the first and second estimates of identical scenarios compare. To better display the concentration of a large number of points in the same locations of this chart, we added a bit of random noise around each point so that they don't all plot directly on top of one another. But the noise added is very small compared to the overall effect, and the noise is only for the display of this chart (it is not used in the statistical analysis of the results).

What we observe is that 26% of the time, there was a difference greater than 10 percentage points between the first and second estimate—for example, the first estimate was 15% and the second was 26%. Some differences were much more extreme. There were even 2.7% where the difference was greater than 50 percentage points. See Figure 4.2 for a summary of these response inconsistencies.

As inconsistent as this may seem, it's actually worse than it looks. We have to compare this inconsistency to the “discrimination” of the expert. That is, how much do the experts’ responses vary for a given type of event? The probabilities estimated varied substantially by the type of risk being assessed. For example, availability risk (a system going down) was generally given probabilities that were higher than an integrity risk where someone could actually steal funds with unauthorized transactions. If all of the responses of the expert only varied between, say, 2% and 15% for a given type of risk (say, the chance of a major data breach), then a 5 or 10 percentage point inconsistency would make up a large part of how much the judge varied their answers.

Consistency is partly a measure of how diligently the expert is considering each scenario. For some of the experts, the inconsistency accounted for most of the discrimination. Note that if inconsistency equaled discrimination, this would be what we would observe if an expert were just picking probabilities at random regardless of the information provided. In our surveys, most judges appeared to at least try to carefully consider the responses with the information provided. Still, we see that inconsistency accounts for at least 21% of discrimination. That is a significant portion of the expert's judgment reflecting nothing more than personal inconsistency.

We should note that a small percentage of the duplicates were discovered by the participants. Some would send an email saying, “I think there is an error in your survey. These two rows have identical data.” But nobody who found a duplicate found more than two, and most people discovered none. More importantly, the discovery of some duplicates by the estimators would only serve to reduce the observed inconsistency. The fact that they happened to notice some duplicates means that their consistency was measured to be higher than it otherwise would have been. In other words, inconsistency is at least as high as we show, not lower.

Fortunately, we can also show that this inconsistency can be reduced, and this will result in improved estimates. We can statistically “smooth” the inconsistencies of experts using mathematical methods that reduce estimation error of experts. The authors have had the opportunity to apply these methods specifically in cybersecurity (the inconsistency data shown in Figure 4.1 were from real‐world projects where we applied these methods). We will describe these methods in more detail later in the book.

The Collaboration Component

We just saw that there is a lot of data about subjective judgments of individual experts, but there is also interesting research about how to combine the judgments of many experts. Perhaps the most common method of combining expert judgments is sometimes referred to in the US military as the “BOGSAT” method—that is, the “Bunch of Guys Sitting Around Talking” method (excuse the gender specificity). The experts meet in a room and talk about how likely an event would be, or what its impact would be if it occurred, until they reach a consensus (or at least until remaining objections have quieted down).

We can apply different mathematical methods for combining judgments and different ways to allow for interaction among the experts. So as we've done with the other component tests, we ask whether some methods are shown to measurably outperform others.

Some research, for example, shows that the random stability inconsistencies of individuals can be reduced by simply averaging several individuals together.³¹ Instead of meeting in the same room and attempting to reach consensus as a group, each expert produces their own estimate independently, and their estimates are averaged together.

This approach and some of the research behind it were explained in the book The Wisdom of Crowds by James Surowiecki.³² Surowiecki also described several other collaboration methods, such as “prediction markets,”³³ which show a measurable improvement over the estimates of individual experts.

The same data that allowed Hubbard Decision Research to measure expert stability was also able to measure consensus. If judges were simply personally inconsistent—that is, they had low stability—we would expect disagreements between judges solely due to random personal inconsistency. However, the actual total disagreement between experts was more than could be accounted for by stability alone. In addition to being personally inconsistent, experts in the same organization also had systemic disagreements with each other about the importance of various factors and the overall risk of cybersecurity attacks.

It is interesting to note, however, that cybersecurity experts at a particular organization provided responses that were somewhat correlated with their peers at the same organization. One expert may have estimated the probability of an event to be consistently higher than their peers, but the same information that caused them to increase or decrease a probability also had the same effect on other experts. At least they were more or less in agreement “directionally.” So we do not observe that different experts behave as if they were just randomly picking answers. They agree with each other to some degree and, as the previous research shows, they can predict outcomes better if we can average several experts together.

In addition to simple averaging of multiple experts, there are some powerful methods that outperform averaging. In Chapter 7, we will discuss other various methods for combining estimates from multiple experts. Some “expert aggregation” methods are consistently better than averaging and even better than the best individual expert.

The Decomposition Component

We have already seen that experts don't perform as well as statistical models based on objective, historical data. But what about quantitative models that are still based on subjective estimates? Is it possible for experts to build models, using only their current knowledge, that outperform how they would have done without the quantitative models? The research says yes.

From the 1970s to the 1990s, decision science researchers Donald G. MacGregor and J. Scott Armstrong, both separately and together, conducted experiments about how much estimates can be improved by decomposition.³⁴ For their various experiments, they recruited hundreds of subjects to evaluate the difficulty of estimates such as the circumference of a given coin or the number of pairs of men's pants made in the United States per year. Some of the subjects were asked to directly estimate these quantities, while a second group was instead asked to estimate decomposed variables, which were then used to estimate the original quantity. For example, for the question about pants, the second group would estimate the US population of men, the number of pairs of pants men buy per year, the percentage of pants made overseas, and so on. Then the first group's estimate (made without the benefit of decomposition) was compared to that of the second group.

Armstrong and MacGregor found that decomposition didn't help much if the estimates of the first group already had relatively little error—like estimating the circumference of a US 50‐cent coin in inches. But where the error of the first group was high—as they were with estimates for men's pants manufactured in the United States, or the total number of auto accidents per year—then decomposition was a huge benefit. They found that for the most uncertain variables, a simple decomposition—none of which was more than five variables—reduced error by a factor of as much as 10 or even 100. Imagine if this were a real‐world decision with big uncertainties. Decomposition itself is certainly worth the time.

Doing the math explicitly, even if the inputs themselves were subjective estimates, removes a source of error. If we want to estimate the monetary impact of a denial‐of‐service attack on a given system, we can estimate the duration, the number of people affected, and the cost per unit of time per person affected. Once we have these estimates, however, we shouldn't then just estimate the product of these values—we should compute the product. Since, as we have shown earlier, we tend to make several errors of intuition around such calculations, we would be better off just doing the math in plain sight. It seemed obvious to many of the researchers that we are better off doing whatever math we would have done in our heads explicitly. As Meehl mentioned in one of his papers:

“Surely, we all know that the human brain is poor at weighting and computing. When you check out at a supermarket, you don't eyeball the heap of purchases and say to the clerk, ‘Well it looks to me as if it's about $17.00 worth; what do you think?’ The clerk adds it up.”³⁵

Still, not all decompositions are as informative. It is possible to “over‐decompose” a problem.³⁶ The reason we decompose is that we have less uncertainty about some things than we do others, and we can compute the latter based on the former. If, however, we do not have less uncertainty about the variables we decompose the problem into, then we may not be gaining ground. In fact, a bad decomposition could make things worse. In Chapter 6, we will discuss what we call “uninformative decompositions” in more detail. Even assuming your decompositions are useful to you, there are several decomposition strategies to choose from, and we will start with no particular position about which of these decompositions are more informative. The best decomposition method may vary from one organization to the next as the information they have varies. But, as we will see in Chapter 6, there are some hard mathematical rules about whether a decomposition actually reduces uncertainty. We should use these rules as well as empirically measured performance to determine the best method of decomposition for a given organization.