19 Oct, 17 tweets, 4 min read
A lot of tips about good writing are rooted in the psychology of your reader. For example, if you want your reader to understand a risk (a probability), is it better to express that as a relative frequency (1 in 20) or a percentage (5%)?
1/
Typically, people understand risk better as a frequency. For example, consider the likelihood of a kid dropping out of high school. You could say that 5% of kids drop out, or that 1 in 20 does. Why is the latter more effective?
2/
First, it's something you can more easily visualize. There's some evidence you might be converting the percentage into the frequency representation in your head anyway. Weber et al (2018) talked about this here: frontiersin.org/articles/10.33…
3/
Next, it's more tangible to many audiences. We can all think of 20 people. Some may have 20 folks in their family or workplace.

Imagine if you're a teacher. If your class size is 20, you could interpret that as though one of YOUR students could drop out.
4/
Even if your class size is different than 20, the frequency representation gives you a clear basis for judgment. If your class size is 30, you know that there is an even stronger chance one of your kids could be one that drops out. You could even have two!
5/
This representation also makes it more intuitive to compare risks. While the average dropout rate across the US is 5%, it is 35% for students with a disability. Said another way, 7 out of 20 students in the latter group will not graduate. 6 more than average!
6/
And, not for nothing, lots of folks are just bad at statistics, appreciating differences in them at varying scales, or getting at their true meaning. This stuff is hard, particularly if you don't do it all the time. I struggle with this all the time.
7/
Researchers wield this knowledge well -- I read a study recently that described interventions for getting nurses to wash their hands more. They pointed out that 1 in 20 hospital patients get an infection in the hospital, and hand washing can significantly help prevent that.
8/
That's relevant because nurses visualize those 20 patients. On some floors, they may see that many in a day or over a couple of days. It means more, intuitively, than 5%. It *humanizes* the problem and simplifies interpretation.
9/
There are things to be careful of with this approach. It usually involves rounding. That's okay in some places but not in others. Sometimes you want to provide the frequency and give the percentage in an appendix or as supporting data.
10/
You also have to make sure the quantities (the denominator) are reasonable for the audience. An X out of 20 (classroom) or X out of 250 (school) frequency might be relevant for a teacher, whereas an X out of 10000 might not be.
11/
In general, most folks can relate personally to smaller denominators. Not as many can relate to larger ones. We see folks struggle with that a lot now with COVID stats. A lot of those (and other things policymakers rely on) are X out of 100,000 frequencies.
12/
Lastly, it becomes annoyingly easy for folks to manipulate quantities in ways that trick people. That usually means oversimplifying complex issues, comparing unrelated things, or ignoring skewed data. That's a broader discussion.
13/
I'll caveat a lot of this, again, by saying this is going to be somewhat situational. Relative frequencies humanize statistics and people relate to them more. You have to understand your audience to make the most effective use of the strategy.
14/
All told, thinking about the representation of statistics is pretty common these days in research when designing interventions. But, it's also applicable to any form of writing that describes risk and needs to achieve a goal. That encompasses most infosec writing.
15/
Here's some more background on the scientific case for using frequencies to express probabilities: persuasivelitigator.com/2018/10/explai…
16/
And, If you want to learn more about stats in a way that isn't boring, I recommend Naked Statistics by Charles Wheelan: smile.amazon.com/dp/B007Q6XLF2/….

17/17

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

# More from @chrissanders88

20 Oct
Since I spend so much time talking to and researching SOCs and SOC analysts, I often get asked, "What the biggest difference is between high and low growth SOCs?"

1/
First, what do I mean by growth? I'm talking about places where analysts can grow their abilities. These are the places that take complete novices and help them achieve competence or take experienced analysts and help them specialize. Growing human ability.
2/
The organizations that support growth well are those where leadership has high (but realistic) expectations for analysts. These most often center around expecting the analyst to be able to make reliable, evidence-driven decisions confidently.
3/
19 Oct
Like lots of folks, I'm pretty miffed by the lack of robust virtualization support on Apple M1 hardware. I hope that gets fixed soon. But, it also got me to thinking about decision making at big vendors like Apple and others.
1/
For example, the security community (myself included) is often critical of Microsoft for some of their decision-making when it comes to usability/flexibility vs. security. Two things immediately come to mind...
2/
1. Macros. The idea that they exist, are default usable, and the UI pushes users more toward enabling them than disabling them.

2. Default logging configs. Fairly minimal with lots of sec relevant stuff left out (integrate sysmon already!).
3/
7 Oct
Abstractions are something analysts have to deal with in lots of forms. Abstraction is the process of taking away characteristics of something to represent it more simply. So, what does that looks like? 1/
Well, speaking broadly, let's say that I tell you I had scrambled eggs with parsley and tarragon for breakfast. You can probably picture that very clearly in your mind and it will be fairly accurate to reality. However... 2/
What if I just tell you I just had eggs? Or that I just had breakfast? Your perception of reality may differ greatly from what I actually ate. The abstraction increases opportunity for error.

3/
17 Sep
One of my research areas that I write about often is curiosity and how it manifests in infosec education and practice. A topic that relates to curiosity is Boredom, which I've done some recent reading on. I thought I'd share a bit about that. 1/
First, what is Boredom? A consensus definition is that boredom is the uncomfortable feeling of wanting to engage in satisfying activity without being able to do so. 2/
When you're bored, two things happen:
1. You want to do something but don't want to do anything.
2. You are not mentally occupied in a way that leverages your capacities or skills.

**these things feed each other** 3/
13 Sep
Let's talk about some lessons gathered from how a student over the weekend quickly went from struggling on an investigation lab and...

"I'm stuck"

to finished and...

"I don’t know if you just Yoda’d the hell out of me or what"

1/x
This particular student emailed and said they were stuck and gave me some misc facts they had discovered. I responded and asked them to lay out a timeline of what they knew already so that we could work together to spot the gaps. 2/
The truth is that when this inquiry is taken seriously, it doesn't often result in us having to spot those gaps together at all because the student figures it out on their own. Why does this happen? Two main reasons... 3/
19 Aug
One of the things I absolutely love about our new @sigma_hq course is that a final challenges includes building your own new rule (we provide a bunch of ideas) with the option of actually submitting it to the public repo. Folks learn and contribute community detection value.
@sigma_hq As part of that, @DefensiveDepth walks students through the process, even if they've never used git before. The Sigma community also does a great job of providing input and additional testing.
It's awesome to watch it all come together. I'm looking at a rule in the public repo now written by a student who didn't know anything about Sigma a month ago. It's been tested, vetted, and now it'll help folks find some evil.