The Overestimation of Knowledge

When it comes to dealing with risks and understanding the distribution of risks, we greatly over estimate what we know. We use mathematical models derived from observable phenomena which may in fact be random or misleading.  Even worse many take as proof that because it never happened “here”, the threat must be exaggerated.

Right now some are turning to their respective governments demanding they “deal” with the current recession.  What do these men know, many of whom are academics? Does reading make one omniscient?  Does living your entire life on the taxpayer make you unequally qualified to make market policy?  Like a  blind folded passenger jerking the steering wheel and stomping on the gas,  they are far more likely to send an economy headed for a ditch  into a tree.    All the mathematical models in the world, designed by academic geniuses did not prepare the financial industry for the collapse that happened.

Who today is any different?  One  hears many information security professionals speaking with such assuredness about their perimeter security.    I see lax practices in major corporations where as long as it passes audit they are happy.  One supposes if something goes wrong they can always blame an outside auditor or at least the junior member on the team.  What did Mel Brooks playing the Governor William J. LePetomane say in Blazing Saddles?  “We’ve gotta protect our phoney-baloney jobs, gentlemen, we must do something about this immediately!”  That something is frequently find the scapegoat.  Leaders  who brag about their decisiveness and bark orders to subordinates, who are the epitome of knowledge and confidence, who spout advice on success to the lesser  suddenly become hapless victims,  mere naïve children.   Irrespective of whom one blames, the end result is the same and the damage is done.

The drive to grow the modern enterprise quickly is the source of many kinds of these problems.  Every successful quarter reinforcing the risky behaviour, every interview an opportunity to put one’s knowledge on display;  an tireless parade of sycophants anxious to win trust.  When cells grow quickly in the body it means one is a  fetus.  If one is an adult, it means cancer.

Rapid growth may lead to capital appreciation and nice dividends for a decade but it also leads to failure to hedge against catastrophic risks, reckless behaviour,  and frequently  fraud.   When one person wins 300 million in a lottery they say he got lucky.  When 10,000 entrepreneurs enter the market with the same basic idea and one of them succeeds, they call it genius.

Perhaps instead mankind  is a blind squirrel grubbing for the proverbial nut and only some of them have the humility to admit it.  It is impossible to identify every risk, anticipate every possible outcome and for the last fifty years we have had the benefit of being relatively free of want in the west.  Our ancestors saved and prepared themselves for unpredictable disaster, braced themselves emotionally for loss of children because the world was uncertain.  Many of those uncertainties have been reduced but others abound.  Dealing with risk means building robustness, redundancies, establishing financial reserves, going slower because mitigation of risk slows you down.  This recession might have shown us who was properly prepared by watching those who weren’t disappear into financial history, instead we socialized the risk across the whole of America and it feels a lot like a suicide pact.   They have the knowledge; we have the exposure.

Risk Management and Information II

I really wanted to write this sooner but I am on a project currently.  In my previous post I raised some questions for Marco concerning three points of his post (see Risk Management and Information).  He responded addressing each one.  Concerning my criticism about “unstructured data” he chose to accept the use of the term in its connotative usage.  I will make one final post on “unstructured data” and it’s  the last thing I will say about it.

Marco goes on to reference a paper he and fellow researchers have published, and more than anything else, after I read it on the plane, the context for his post was clear and it eliminated any misunderstanding.  If one has an interest in Identity Analytics, it is worth reading.  They look at using mathematical modeling to provide guidance, predict the impact of policy choices to enable better decision making.  At the end of his post, he asks me the following:

It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company.

I will attempt to answer that question while staying clear of methodology.  There are obvious constraints I have in my current position.  Personally, if I was independent I would publish the entire thing for one very simple reason.  Ideas are easy, execution of ideas difficult.  Twelve people would read it and the majority  would fail to implement it properly.  This is the way the world works. Great script a movie does not make.

Before one looks at information in all it’s forms, what is purpose of risk management?  From my perspective it’s taking the knowledge that one has about how the world works and translating that into prudent decision making where they hope success is greater than failure.  In business as in life in general, there is nothing more important than proper decision making.  The entrepreneur, the executive in a large corporation will both make decisions with less than perfect knowledge, some good, some bad.

So in order to make prudent choices and decisions, businesses need an understanding of both their exogenous and endogenous risks across the entire value chain.  The determination of risks neither precedes or succeeds the setting of business goals, but rather is temporally concomitant with goal setting.  Business goals are set with feedback from an existing dynamic environment,  and as the environment evolves,  the risks evolve, and the identification of changes in  those risks should (but frequently don’t) act as a negative feedback loop to activity.   The distribution of risks themselves, can be broadly placed into two domains, those that exhibit a Gaussian or normal distribution and those that are scale free or follow a power law distribution.  It’s not always easy to know which one, one is confronting.  Upper and lower bounds could be based on insufficiently small sample sizes.  Errors in decision making, even small errors in scale free networks can have a devastating consequences; just ask the former employees of Bear Stearnes.

Businesses need access to knowledge that will allow them to innovate, create and make prudent decisions.  Some of this knowledge confers a competitive advantage and some of it does not.  As I said in my previous post, the first order of business is to classify the information we have.  If we have not determined the relative importance of this information we do not know what we need to protect.  One could easily find themselves like a mad reductionist historian satisfied to study the stains on the library wall while genuine knowledge gathers dust on shelves.  One must confront the problem of scarcity which concentrates efforts into protecting only the priority areas.  It is not possible to mitigate every risk to the enterprise.

The arrival of specialized information security practitioners into many corporations came with the advent of the the internet.  The corporate fortress gave way to a walled city.  In many companies information security has nothing to do with explicit risk management.  It’s effects lower broader risks in  a piecemeal fashion.  Many infosec personnel just watch the border or set toothless policy.  It wasn’t until legislation forced changes that many companies developed real processes.  Companies who are not impacted by legislation continue with sloppy practices.  I see it all the time.

Given the foregoing, before one looks at sophisticated controls of information, it should be obvious that there is a lot that can be done better.  Assume for the sake of discussion, that the corporation has identified its external and internal risks across the value chain, it’s risk processes are aligned with goal setting,  it has proper task organization, and it has structure that permits enterprise risk management.  What should one do to protect and control their information?

I will continue this in my next post; given the length of this one.

2008-09-16 – edited the opening to clarify some ambiguities.