The Fallacy of Complete and Accurate Risk Quantification

Wow. The American taxpayer now owns AIG. Does that mean I can get a cheap rate? The economic events of the past few days transitioned the months-long saga of financial irresponsibility past merely sturn ing into the realm of truly terrifying. We’ve leaped past the predictable into a maelstrom of uncertainty edging on a black hole of unknowable repercussions. True, the system could stabilize soon; allowing us to rebuild before the shock waves topple the relatively stable average family. But right now it seems the global economy is so convoluted we’re all moving forward like a big herd navigating K2 in a blinding snowstorm with the occasional avalanche. Yeah, I’m scared. Frightened and furious that, yet again, the group think of the financial community placed the future of my family at risk. That we, as taxpayers, will have to bail them out like Chrysler in the 70’s, and the savings and loan institutions of the 80’s. That, in all likelihood, no one responsible for the decisions will be held accountable and they will all go back to lives of luxury. One lesson I’m already taking to heart is that I believe these events are disproving the myth of the reliability of risk management in financial services. On the security side, we often hold up financial services as the golden child of risk management. In that world, nearly everything is quantifiable, especially with credit and market risk (operational is always a bit more fuzzy). Complex equations and tables feed intelligent risk decisions that allow financial institutions to manage their risk portfolios while maximizing profitability. All backed by an insurance industry, also using big math, big heads, and big computers; capable of accepting and distributing the financial impact of point failures. But we are witnessing the failure of that system of risk management on an epic scale. Much of our financial system revolves around risk- distributing, transferring, and quantifying risk to fuel the economy. The simplest savings and loan bank is nothing more than a risk management tool. It provides a safe haven for our assets, and in return is allowed to use those assets for it’s own profitability. Banks make loans and charge interest. They do this knowing a certain percentage of those loans will default, and using risk models decide which are safest, which are riskiest, and what interest rate to charge based on that level of risk. It’s just a form of gambling, but one where they know the odds. We, the banks customers, are protected from bad decisions through a combination of diversification (spreading the risk, rather than just one big loan to one big customer), and insurance (the FDIC here in the US). It’s a system that’s failed before; once spectacularly (the Depression), and again in the 80’s, but overall works well. Thus we have empirical proof that even the simplest form of financial risk management can fail. Fast forward to today. Our system is infinitely more complex than a simple S&L; interconnected in ways that we now know no one completely understands. But we do know some of the failures: Risk ratings firms knowingly under-rated risks to avoid losing the business of financial firms wanting to make those investments. Insurance firms, like AIG, backed these complex financial tools without fully understanding them. Financial firms themselves traded in these complex assets without fully understanding them. The entire industry engaged in massive group think which ignored clear risks of relying on a single factor (the mortgage industry) to fuel other investments. Lack of proper oversight (government, risk rating companies, and insurance companies) allowed this to play out to an extreme. Reduced compartmentalization in the financial system allowed failures to spread across multiple sectors (possibly a deregulation failure). Let’s tie this back to information security risk management. First, please don’t take this as a diatribe against security metrics- of which I’m a firm supporter. My argument is that these events show that complete and accurate risk quantification isn’t really possible, for two big reasons. It is impossible to avoid introducing bias into the system; even a purely mathematical system. The metrics we choose, how we measure them, and how we rate them will always be biased. As with recent events, individual (or group) desires can heavily influence that bias and the resulting conclusions. We always game the system. Complexity is the enemy of risk, yet everything is complex. It’s nearly impossible to fully understand any system worth measuring risk on. Which leads to my message of the day. Quantified risk is no more or less valuable or effective than qualified risk. Let’s stop pretending we can quantify everything, because even when we can (as in the current economic fiasco) the result isn’t necessarily reliable, and won’t necessarily lead to better decisions. I actually think we often abuse quantification to support bad decisions that a qualified assessment would prevent. Now I can’t close without injecting a bit of my personal politics, so stop reading here if you don’t want my two sentence rant… rant I don’t see how anyone can justify voting for a platform of less regulation and reduced government oversight. Now that we own AIG and a few other companies, it seems that’s just a good way to socialize big business. It didn’t work in the 80’s, and it isn’t working now. I support free markets, but damn, we need better regulation and oversight. I’m tired of paying for big business’s big mistakes and people pretending that this time it was just a mistake and it won’t happen again if we just get the government out of the way and lower corporate taxes. Enough of the fracking corporate welfare! /rant Share:

Read Post

Jay Beale, Kevin Johnson, and Justin Searle Join the Network Security Podcast

Boy am I behind on my blog posts! I have a ton of stuff to get up/announce, and first up is episode 120 of the Network Security Podcast. Martin and I were joined by Justin Searle, Kevin Johnson and Jay Beale from Intelguardians. As well as discussing the news stories of the week, the guys were here to tell us about a new LiveCD they’ve developed, Samurai. It was a great episode with some extremely knowledgeable guys. Full show notes are at Network Security Podcast, Episode 120 for September 16, 2008 Time: 43:57 Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.