An exerpt from How to Measure Anything in Cybersecurity Risk:
You might have heard the old joke about two hikers getting ready for a walk into the woods. […] One hiker is wearing his running shoes instead of his regular hiking boots. The other asks, “Is there something wrong with your regular boots?” to which the first hiker responds, “No, I just heard there were bears in the woods today. I wore these shoes so I could run faster.”
His friend, confused, reminds him, “But you know you can’t outrun a bear.”
The hiker with the running shoes replies, “I don’t have to outrun a bear. I just have to outrun you.”
This old (and admittedly tired) joke is the basis for the name of a particular fallacy when it comes to evaluating models or decision-making methods of any kind. […]
The basis of this fallacy goes something like this: If there is a single example of one method failing in some way or even having a minor weakness, we default to another method without ever investigating whether the alternative method has even worse weaknesses and track record.
Always good to remember this.