Objective & Subjective Risk

Note:  I started this response in 2012 abandoned it and decided today to finish it.

I wrote a post on whether risk can be measured objectively in the summer 2012.  It was not particularly rigorous.  This is the by product of writing hastily.   It was tweeted by Matt Flynn who has is own blog on identity and access management.  Following Matt’s tweet it received three separate tweets critical of the substance by Alex Hutton.  I would like to note the broader point of the article was lost in my haste, to wit, panels of experts are subject to the same errors, weaknesses in reasoning as the rest of us so large top down proscriptions from experts are dangerous. When they are done by your local government, it impacts few people.  When done at a national level it impacts millions and is difficult to reverse.

These are his Tweets verbatim.
alex1 alex2 alex3

Twitter works poorly for substantive criticism so if I have mis-categorized anything I am open to correction.   At the time I responded on Twitter but I wanted to do so more thoroughly.

Let me first note that Mr. Hutton is suspicious of the categories I used (objective/subjective) but hesitates not in specifying his own, of course, but we don’t really know and he doesn’t say how he arrived at those (uncertainty/intersubjectivity).  Categories follow some level of reasoning, the purpose they serve is to help us make sense of reality because experience taught us long ago like kinds of things behave in a similar fashion.   Equally fundamental, we need to make sure that the words we use in a discussion have been defined to the satisfaction of both parties.  In this way, the post was sloppy.  When I stated the terms objective and subjective, I was thinking in terms of a simple dictionary definitions.  Subjective being influenced by personal feelings, tastes, opinion etc. and objective not influenced and hence true.  What I did not mean is that when something is subjective it is devoid of reason and something objective is purely fact based devoid entirely of emotion.  I am not dealing in ideal forms.

Let’s take the word “risk” next.  When I say risk I mean an exposure to danger or something undesirable and that we can to certain degree ancticipate it but not necessarily precisely predict it or  measure it.  On the other hand when I use the term uncertainty, I mean something which cannot be measured.

With that out of the way let us take his first prescription that Objective / Subjective is the wrong fight. I don’t really consider them to be a “fight.”  The broader point is in the realm of civilization, so called experts are subject to the same weaknesses as everyone else so you get unwelcome corporate behaviour like an “availability cascade” whose impact on national scale is more misery than the misery they attempted to avoid.

Western civilization has found it useful to examine things in light of objective and subjective terms for two millennia but apparently they have been wrong.  They should have been using uncertainty and intersubjectivity.  If  the reader is not familiar with intersubjectivity, he should start with Edmund Hussrl.  It has influenced philosophy, anthropology, sociology, psychology and so on.  Unfortunately it comes with its own set of  baggage.  If we are going to use intersubjectivity whose conception are we to use? Hussrl’s? Heidegger’s? Or all the other academics who have weighed in on it since the 1950s?  I would like to add that many of these conceptions conflict with each other so Mr. Hutton’s prescription is incoherent as stated and in need of clarification.  One last point on intersubjectivity, depending on who you ask, it is either dangerously close to solipsism or it is solipsism.  I think it is the latter and hence worthless.

In his second tweet he states that I am positing neither an actuarial or epistemological conundrum but rather a semantic one.  This is incorrect; if the problem is semantic then one need only to alter, define or find a better statement of the problem and the adverse effect would go away.  That is not the case.  My point is the limits of our knowledge, combined with simple errors, undo outside influence, prior experiences, emotional amplification etc. demonstrates that risk (again defined as an exposure to danger or something undesirable) is subjective in the social domain. It does not mean that all such effort is useless or calling something a risk is “just your opinion.”

His final comment is “I’d stop using the word ‘risk’ & be particular about describing the phenomenon as meta data around risk determinants.” I know he doesn’t like the word risk used indiscriminately because he mentioned that in a talk once stating that the Japanese didn’t have a word for it in their language until they were influenced by the West.  I do see one problem with this prescription which is, are there any risk determinants in the kind of risk under consideration to begin with?  Are there not cases of disaster, which were only obvious in retrospect and discussions of determinants useless?  What are the risk determinants for war?  The use of the term implies a factor that decides the outcome.  We don’t always know that.

Blind to Collapse

There is a very good article on the fall of the Roman empire by Ugo Bardi (h/t Vox Dei).  He applies system dynamics to explain the collapse.

Let’s start from the beginning…with the people who were contemporary to the collapse, the Romans themselves. Did they understand what was happening to them? This is a very important point: if a society, intended as its government, can understand that collapse is coming, can they do something to avoid it? It is relevant to our own situation, today.

In business people use the myth of the boiled frog to explain our inability to see and adapt to the deleterious effects of change.  And while there are those who unflinchingly pursue the truth, they may be only recognized as such in the post collapse analysis.  Decline is inevitable; the venal, the power hungry will eventually seize control (it’s for your own good or the children), the virtue of a culture will be replaced by hedonistic calculus,  technological sophistication reaches its zenith while education its nadir, and everyone tries to saw off a limb while the tree falls.  “I got mine.”  Yes, you did.

Regardless of  how much knowledge we accumulate, no matter how many collapsed civilizations, technological failures or business cases we study, there will always be a new generation who, as Russell Kirk described, “are like flies of the summer” caring little what went before them and nothing for what comes after, who are curious only and I mean that in the medieval sense.   The more complex a system becomes the higher cost to maintain the status quo.  Eventually complexity reaches the point that the problems become insurmountable and from what I have seen the more centralized the decision making authority, the faster the demise.

Kindle Fire Will Not Buy Us Much

There is a post over at Volokh Conspiracy where the author Stewart Baker believes that the Kindle Fire users will ultimately be more secure because Amazon is acting as a big http proxy and by running everything through Amazon’s cloud it will reduce the risk of end point compromise.  Instead of relying on your own ability to protect your device, Amazon will do it for you assuming that they are more knowledgeable than you in information security related matters. I am not nearly as excited for the following reasons:

1.  Without physical security there is no security.  If one has physical access to a device it is quite possible to subvert for nefarious purposes.  Amazon cannot control that and if done well they will not be able to detect it.  Ask Apple about all those jail broken iPhones.  Additionally, many exploits rely on social engineering.  All the hardware in the world cannot stop you from making an error.

2.  A big filtering proxy in the cloud is just another filtering proxy.  At some point its pattern recognition systems will have false positives enough times that users will work overtime to get around them; that, or Amazon will have to loosen up the filtering.  One commenter pointed out correctly that AOL tried this before.

3. Amazon Fire will have its own broswer, which will have its own browser flaws and security problems.  That is inescapable.  Roll your own browser and you have to do your own code audits too, every change introduces new risks and possible regression errors.

4.  Risk will be more non-linear.  We may have fewer security problems but the impact of one will be far more severe.  A heavily defended system is always complex and when a complex systems goes down it is frequently catastrophic in consequence.

5.  Security is expensive.  The more complex the system the higher the cost to defend it.  Security is frequently one of the first areas relaxed when costs are creeping up.  This is normally followed by a security failure of some kind, the firing of the security personnel, an increase in security spending on technological solutions and a return to the beginning.  Think of this as the security personnel scapegoating life cycle.  Amazon will not be immune.

In the end, the entire Amazon Kindle Fire ecosystem is just another system requiring defending with the same kinds of problems as other systems.  I do not share the author’s optimism.

Central Control System Risk

Whenever we have a system whose function is to provide better risk management or security, that system itself will have a control element.  These systems can be attacked and service they provide disabled.

Take, for example, a network intrusion detection system;  is the control console system protected?  Is the back end database on it’s own server or is it part of a shared environment?  Are the updated signatures delivered over a private physical network or at least a separate VLAN?  Are the administrators themselves audited periodically?

What I have seen many times is that the worst security in a company is on the security group’s control systems.  Not because the security group is lazy or incompetent but because they simply do not have the resources to adequately safeguard their own systems.  They are assigned additional duties without additional personnel or it was left out of the budget.  It can happen to the best.  There have been numerous luminaries in the information security field who have been hacked.    Sometimes earning a living takes all your time and there is nothing left for securing your own systems.

If you cannot afford to add the correct number of internal personnel for your Identity Management Solution, Intrusion Detection System, Content Filtering Software etc.  you should contract someone who can and then audit them, regularly.

The Threat is Consistent

Those whom wish you ill or would gladly steal from you care little about the global economic downturn.  They are not sending out fewer exploits as attachments to spam, they have not stopped looking for ways to transfer money from your bank account or use your office PC’s as zombies.  When money is tight you need to defend yourself intelligently.  Your number one priority should be keeping your software patched.  Your second priority should be scanning any externally facing web applications for common vulnerabilities.  If you don’t have the skills, hire someone who does.  Finally,  take the time to educate your employees on safe computing practices.  Again, If you lack the skill bring in a professional trainer.

Application Centric Identity?

I’ve been listening / reading to information lately on “Application Centric Identity ” and how it’s supposed to be the new wave in Identity Management.  Frankly I’m a bit confused.

Basically it sounds like what’s being discussed is the creation of an authoritative store, something I’ve been working with in Identity Management for about 5 years now.

The “newness” to this offering seems to be the implementation of SOA / Web-services architectures to make it more interesting and accessible to authentication / authorization services.

I’ve always felt that by gathering the authoritative attributes from each enterprise repository and linking them together in an authoritative store (metadirectory) you create the clearest picture of what each identity “looks” like.  Furthermore, these authoritative entries can then be used as the basis for provisioning new application entries and update existing ones.

To me it seems like the backers of this school of thought are finding a new way to talk about the integration of Enterprise level ERP systems with Identity Management.  This is not a bad thing.  The one thing we need to do is break out of the idea that Identity Management is solely provisioning or Access Management. One without the other is worse than useless given the potential for malicious behavior.

The Overestimation of Knowledge

When it comes to dealing with risks and understanding the distribution of risks, we greatly over estimate what we know. We use mathematical models derived from observable phenomena which may in fact be random or misleading.  Even worse many take as proof that because it never happened “here”, the threat must be exaggerated.

Right now some are turning to their respective governments demanding they “deal” with the current recession.  What do these men know, many of whom are academics? Does reading make one omniscient?  Does living your entire life on the taxpayer make you unequally qualified to make market policy?  Like a  blind folded passenger jerking the steering wheel and stomping on the gas,  they are far more likely to send an economy headed for a ditch  into a tree.    All the mathematical models in the world, designed by academic geniuses did not prepare the financial industry for the collapse that happened.

Who today is any different?  One  hears many information security professionals speaking with such assuredness about their perimeter security.    I see lax practices in major corporations where as long as it passes audit they are happy.  One supposes if something goes wrong they can always blame an outside auditor or at least the junior member on the team.  What did Mel Brooks playing the Governor William J. LePetomane say in Blazing Saddles?  “We’ve gotta protect our phoney-baloney jobs, gentlemen, we must do something about this immediately!”  That something is frequently find the scapegoat.  Leaders  who brag about their decisiveness and bark orders to subordinates, who are the epitome of knowledge and confidence, who spout advice on success to the lesser  suddenly become hapless victims,  mere naïve children.   Irrespective of whom one blames, the end result is the same and the damage is done.

The drive to grow the modern enterprise quickly is the source of many kinds of these problems.  Every successful quarter reinforcing the risky behaviour, every interview an opportunity to put one’s knowledge on display;  an tireless parade of sycophants anxious to win trust.  When cells grow quickly in the body it means one is a  fetus.  If one is an adult, it means cancer.

Rapid growth may lead to capital appreciation and nice dividends for a decade but it also leads to failure to hedge against catastrophic risks, reckless behaviour,  and frequently  fraud.   When one person wins 300 million in a lottery they say he got lucky.  When 10,000 entrepreneurs enter the market with the same basic idea and one of them succeeds, they call it genius.

Perhaps instead mankind  is a blind squirrel grubbing for the proverbial nut and only some of them have the humility to admit it.  It is impossible to identify every risk, anticipate every possible outcome and for the last fifty years we have had the benefit of being relatively free of want in the west.  Our ancestors saved and prepared themselves for unpredictable disaster, braced themselves emotionally for loss of children because the world was uncertain.  Many of those uncertainties have been reduced but others abound.  Dealing with risk means building robustness, redundancies, establishing financial reserves, going slower because mitigation of risk slows you down.  This recession might have shown us who was properly prepared by watching those who weren’t disappear into financial history, instead we socialized the risk across the whole of America and it feels a lot like a suicide pact.   They have the knowledge; we have the exposure.

Perception of Risk is Influenced by Ease of Pronunciation

I missed this study earlier  (HT: Bruce Schneier).  The result is exactly what one  would expect.   There has always been a general distrust of the alien, fear of the unknown.  The impact on IT is that when they bring new items up for review they can expect higher scrutiny for anything containing hard to pronounce names.  Experience teaches us that most innovations fail so when we encounter something unfamiliar we consider it more risky.   Difficulty in pronouncing its name  amplifies this effect.   In fact this is why we have proof of concepts, pilots and test markets for innovations.   When faced with three choices to make under time pressure we will tend to choose the one that is most familiar because cognitively we map what is familiar to safe.  Difficulty in pronouncing a name, can also slow the time it takes process the choice.   Look how long it took Linux to gain acceptance in the executive suite despite the cost differential and ease of pronunciation.  The experience of using it in the data center is now sufficiently broad that except in the most conservative companies, it is no longer considered risky.  Imagine how much longer it would have taken if the name was something like Lydrarjickavar.

Risk Management and Information II

I really wanted to write this sooner but I am on a project currently.  In my previous post I raised some questions for Marco concerning three points of his post (see Risk Management and Information).  He responded addressing each one.  Concerning my criticism about “unstructured data” he chose to accept the use of the term in its connotative usage.  I will make one final post on “unstructured data” and it’s  the last thing I will say about it.

Marco goes on to reference a paper he and fellow researchers have published, and more than anything else, after I read it on the plane, the context for his post was clear and it eliminated any misunderstanding.  If one has an interest in Identity Analytics, it is worth reading.  They look at using mathematical modeling to provide guidance, predict the impact of policy choices to enable better decision making.  At the end of his post, he asks me the following:

It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company.

I will attempt to answer that question while staying clear of methodology.  There are obvious constraints I have in my current position.  Personally, if I was independent I would publish the entire thing for one very simple reason.  Ideas are easy, execution of ideas difficult.  Twelve people would read it and the majority  would fail to implement it properly.  This is the way the world works. Great script a movie does not make.

Before one looks at information in all it’s forms, what is purpose of risk management?  From my perspective it’s taking the knowledge that one has about how the world works and translating that into prudent decision making where they hope success is greater than failure.  In business as in life in general, there is nothing more important than proper decision making.  The entrepreneur, the executive in a large corporation will both make decisions with less than perfect knowledge, some good, some bad.

So in order to make prudent choices and decisions, businesses need an understanding of both their exogenous and endogenous risks across the entire value chain.  The determination of risks neither precedes or succeeds the setting of business goals, but rather is temporally concomitant with goal setting.  Business goals are set with feedback from an existing dynamic environment,  and as the environment evolves,  the risks evolve, and the identification of changes in  those risks should (but frequently don’t) act as a negative feedback loop to activity.   The distribution of risks themselves, can be broadly placed into two domains, those that exhibit a Gaussian or normal distribution and those that are scale free or follow a power law distribution.  It’s not always easy to know which one, one is confronting.  Upper and lower bounds could be based on insufficiently small sample sizes.  Errors in decision making, even small errors in scale free networks can have a devastating consequences; just ask the former employees of Bear Stearnes.

Businesses need access to knowledge that will allow them to innovate, create and make prudent decisions.  Some of this knowledge confers a competitive advantage and some of it does not.  As I said in my previous post, the first order of business is to classify the information we have.  If we have not determined the relative importance of this information we do not know what we need to protect.  One could easily find themselves like a mad reductionist historian satisfied to study the stains on the library wall while genuine knowledge gathers dust on shelves.  One must confront the problem of scarcity which concentrates efforts into protecting only the priority areas.  It is not possible to mitigate every risk to the enterprise.

The arrival of specialized information security practitioners into many corporations came with the advent of the the internet.  The corporate fortress gave way to a walled city.  In many companies information security has nothing to do with explicit risk management.  It’s effects lower broader risks in  a piecemeal fashion.  Many infosec personnel just watch the border or set toothless policy.  It wasn’t until legislation forced changes that many companies developed real processes.  Companies who are not impacted by legislation continue with sloppy practices.  I see it all the time.

Given the foregoing, before one looks at sophisticated controls of information, it should be obvious that there is a lot that can be done better.  Assume for the sake of discussion, that the corporation has identified its external and internal risks across the value chain, it’s risk processes are aligned with goal setting,  it has proper task organization, and it has structure that permits enterprise risk management.  What should one do to protect and control their information?

I will continue this in my next post; given the length of this one.

2008-09-16 – edited the opening to clarify some ambiguities.