Measuring Risk Objectively?

In order to manage the complexity of life and the accompanying uncertainties, we build models.  Models by their very nature are reductions, that is, we throw out a certain amount of information.  A historian writing a history of Frankfurt, Germany is not going to concern himself with spots on the floor of the Rathaus in 1888 (unless he is a post-modern reductionist).

Risk is itself an abstraction, it is certainly not real.  Being the victim of a  specific risk, however, is real enough.  A more interesting topic is whether or not risk is objective or subjective.  How we measure matters.  It may impress to show on a slide that the mail gateway anti-virus blocked ten million attempts in the last year, but it matters little when the consequences of a single failure can end the business.

The U.S. legal scholar Cass Sunstein, who coined the term “libertarian paternalism” has commented on how small risks can become distorted in the mind of the public and amplified to the point (normally via mass media) that they influence public policy.  He uses the terms “availability cascade” (from the availability bias) and “probability neglect” to describe the basis for the entire process. The exact same thing happens in any organization where one bad experience leads to ridiculous changes in policy.  In the US think Love Canal or Times Beach.

So when we model a certain risk, it is often driven by emotion or prejudice and key elements are included/excluded.  It may take years to identify the errors.  I could be wrong but I do not think that risk can be measured objectively even with panels of experts since they are subject to the same problems as the lumpenproletariat they feel superior to, bias, group-think, emotional amplification, poor statistical reasoning, priors etc. Because of this, I agree with Paul Slovic, risk is subjective.

Kubla Khan is Always With Us

Samuel Taylor Coleridge penned his famous poem Kubla Khan, a Vision of a Dream under the influence of a few grains of opium taken for dysentery. One can only wonder what the fifth great Khan himself was under when he ordered the building of 4,000 ships in a year for the second invasion of Japan. Perhaps he was only drunk on power. Nevertheless, it too was a catastrophic failure in which nearly everyone perished in a typhoon.

The Japanese myth had it that it was magical wind that did in Kubla Khan’s fleet. Modern archaeology tells a slightly different story. The grandson of Genghis Khan’s order led to shoddy craftsmanship, and using river vessels with flat bottoms to meet the artificial deadline. When placed under the duress of a typhoon, a statistical outlier, the vessels lacked the required design and therefore resilience to withstand the storm.

Again and again people plan based on best case scenarios ignoring the outliers whose impact is catastrophic. Completion dates are imposed based on the perception of what timeline is acceptable to the boss, or blind bottom up task by task time estimates. This carries on today, whether it is ambitious government, ambitious business, or ambitious IAM . We hear repeatedly stories of hard-nosed leaders saying, “I told them I wanted it yesterday and they made it happen.” While these stories appear regularly in the press, the stories we don’t hear (unless the magnitude is large) are the numerous small failures where “I wanted it yesterday” is a loser. I assure you these out number the success stories but there is no one out their bragging about that, “Hey everyone, boy did we lose money this week” or “I would like to congratulate the team for missing every deadline I imposed on them.”

It is no different then the gambler bragging about his winnings and strangely silent on his losses. As Nassim Taleb has said, “We don’t learn that we don’t learn.”

Preventing SUNburn?

So it’s finally beginning.  Identity Management vendors are percieving the departure of Sun IDM from the landscape.   CA is now offering Sun Users the ability to switch over to CA’s IDM product.

I’ve not heard much lately about what the eventual plans are for Sun IDM, but something’s going to have to be announced soon before the other IdM vendors pull the rug out from under Sun/Oracle.

Application Centric Identity?

I’ve been listening / reading to information lately on “Application Centric Identity ” and how it’s supposed to be the new wave in Identity Management.  Frankly I’m a bit confused.

Basically it sounds like what’s being discussed is the creation of an authoritative store, something I’ve been working with in Identity Management for about 5 years now.

The “newness” to this offering seems to be the implementation of SOA / Web-services architectures to make it more interesting and accessible to authentication / authorization services.

I’ve always felt that by gathering the authoritative attributes from each enterprise repository and linking them together in an authoritative store (metadirectory) you create the clearest picture of what each identity “looks” like.  Furthermore, these authoritative entries can then be used as the basis for provisioning new application entries and update existing ones.

To me it seems like the backers of this school of thought are finding a new way to talk about the integration of Enterprise level ERP systems with Identity Management.  This is not a bad thing.  The one thing we need to do is break out of the idea that Identity Management is solely provisioning or Access Management. One without the other is worse than useless given the potential for malicious behavior.

Start up…

This is a new blog on SAP’s Netweaver Identity Manager, fka Maxware. from the practitioners of Secude Global Consulting. We will use our experiences installing, deploying and configuring this product to help you get the maximum benefit from this versatile piece of software. You may also see an occasional post on systems thinking and enterprise risk management.