Risk analysis for DEF CON 2021

Post Syndicated from Robert Graham original https://blog.erratasec.com/2021/07/risk-analysis-for-def-con-2021.html

It’s the second year of the pandemic and the DEF CON hacker conference wasn’t canceled. However, the Delta variant is spreading. I thought I’d do a little bit of risk analysis. TL;DR: I’m not canceling my ticket, but changing my plans what I do in Vegas during the convention.

First, a note about risk analysis. For many people, “risk” means something to avoid. They work in a binary world, labeling things as either “risky” (to be avoided) or “not risky”. But real risk analysis is about shades of gray, trying to quantify things.

The Delta variant is a mutation out of India that, at the moment, is particularly affecting the UK. Cases are nearly up to their pre-vaccination peaks in that country.

Note that the UK has already vaccinated nearly 70% of their population — more than the United States. In both the UK and US there are few preventive measures in place (no lockdowns, no masks) other than vaccines.


Thus, the UK graph is somewhat predictive of what will happen in the United States. If we time things from when the latest wave hit the same levels as peak of the first wave, then it looks like the USA is only about 1.5 months behind the UK.

It’s another interesting lesson about risk analysis. Most people experience these things as sudden changes. One moment, everything seems fine, and cases are decreasing. The next moment, we are experiencing a major new wave of infections. It’s especially jarring when the thing we are tracking is exponential. But we can compare the curves and see that things are totally predictable. In about another 1.5 months, the US will experience a wave that looks similar to the UK wave.

Sometimes the problem is that the change is inconceivable. We saw that recently with 1-in-100 year floods in Germany. Weather forecasters predicted 1-in-100 level of floods days in advance, but they still surprised many people.

Nevada is ahead of the curve in the US, probably because Vegas is such a hub of unvaccinated people going on vacation. Because of exponential growth, there’s a good chance that in 2 weeks, that peek will be triple where it is now. It may not look like “time to cancel your ticket” now, but it probably will in 2 weeks when the event takes place. In other words, the closer we get to the event, the more people will look at this graph and cancel their tickets.

The risk is really high for the unvaccinated, but much less for the vaccinated. We see that in the death rates in the UK, which are still low, even accounting for the 2 week lag that you see between spikes in infections and spikes in deaths. This is partly due to the fact that while the new variant infects the vaccinated, it doesn’t cause much harm. Also, I suspect it’s due to how much better we are at treating infections if they do require a hospital visit.

But still, death isn’t the major concern. It appears the major concern is long term-lung (and other organ) damage caused by even mild cases. Thus, one should fear infection even if one believes they have no chance of dying.

So here’s my personal risk analysis: I’m not canceling my ticket. Instead, I’m changing my plans of what I do. For the most part, this means that wherever there’s a crowd, go someplace else.
It also means I’m going to take this opportunity to do things I’ve never had the opportunity to do before: go outside of Vegas. I plan on renting a car to go down to the Grand Canyon, Hoover Dam, and do hikes around the area (like along Lake Meade, up in the canyons, and so on). This means spending most of my time away from people.
During the pandemic, outdoor activities (without masks, socially distanced) is one of the safest things you can do, especially considering the exercise and vitamin D that you’ll be getting.
Also, airplanes aren’t much of a worry. They have great filtration and as far as anybody can tell, haven’t resulted in superspreader events this entire pandemic.
The real point of this blogpost is the idea of “predictions”. This post predicts that US infection rates will be spiking in 1.5 months in a curve that looks similar to the UK, and that in 2 weeks during DEFCON, Nevada’s infection rates will be around 3 times higher. The biggest lesson about risk analysis is that it’s usually done in hind-sight, what people should’ve known, once the outcome is known. It’s much harder doing it the other way around, estimating what might happen in the future.