Outrage: Less and More

We've been discussing Outrage Considered Useful. Alex remarked in a comment:

The term "Outrage" suggests that risk cannot or should not be discussed in a rational manner.

What I think Sandman is getting at is that often risk isn't discussed in a rational manner, because managers' (and security people's) egos, fears, ambitions, etc. get in the way. In a perfect Platonic world perhaps things wouldn't be that way, but in this one, people don't operate by reason alone, even when  they think they are doing so.

Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.

Indeed, quantitative analysis is good. However, once you've got that analysis, you still have to sell it to management. And there's the rub: that last part is going to require dealing with emotion.

Metricon: Puzzle vs. Mystery

Here at Metricon 2.0, many interesting talks, as expected.

For example, Russell Cameron Thomas of Meritology mentioned the difference between puzzle thinking (looking only under the light you know) and mystery thinking (shining a light into unknown areas to see what else is out there). Seems to me most of traditional security is puzzle thinking. Other speakers and questioners said things in other talks like "that's a business question that we can't control" (literally throwing up hands); we can only measure where "we can intervene"; "we don't have enough information" to form an opinion, etc. That's all puzzle thinking.

Which is unfortunate, given that measuring only what you know makes measurements hard to relate to business needs, hard to apply to new, previously unknown problems, and very hard to use to deal with problems you cannot fix.

Let me hasten to add that Thomas's talk, entitled "Security Meta Metrics—Measuring Agility, Learning, and Unintended Consequence", went beyond these puzzle difficulties and into mysteries such as uncertainty and mitigation.

Not only that, but his approach of an inner operational loop (puzzle) tuned by an outer research loop (mystery) is strongly reminiscent of John R. Boyd's OODA loop. Thomas does not appear to have been aware of Boyd, which maybe is evidence that by reinventing much the same process description Thomas has validated that Boyd was onto something.

-jsq

ROI v. NPV v. Risk Management

There's been some comment discussion in about security ROI. Ken Belva's point is that you can have a security ROI, to which I have agreed (twice). Iang says he's already addressed this topic, in a blog entry in which he points out that

Calculating ROI is wrong, it should be NPV. If you are not using NPV then you're out of court, because so much of security investment is future-oriented.

— ROI: security people counting with fingers? Iang, Financial Cryptography, July 20, 2007

Iang's entry also says that we can't even really do Net Present Value (NPV) because we have no way to calculate or predict actual costs with any accuracy. He also says that security people need to learn about business, which I've also been harping on. I bet if many security people knew what NPV was, they'd be claiming they had it as much as they're claiming they have ROI.

Punching Hornets

What do science fiction writer William Gibson, global guerrilla theorist John Robb, libertarian Republican presidential candidate Ron Paul, and the late historian David Halberstam agree about?

Still, it is hard for me to believe that anyone who knew anything about Vietnam, or for that matter the Algerian war, which directly followed Indochina for the French, couldn't see that going into Iraq was, in effect, punching our fist into the largest hornet's nest in the world.

— The Late Halberstam's Final Verdict on Bush: "He's No Truman", by Adam Howard, alternet.org, 5:38 AM on July 5, 2007.

One could add Napoleon in Russia and the British in America. Funny how fighting in Russia in the winter wasn't like Italy in the summer.

Chance is Not Games

Speaking of Black Swans, here's an interesting point in a review of Nassim Nicholas Taleb's book on that subject:

Why do we base the study of chance on the world of games? Casinos, after all, have rules that preclude the truly shocking. And why do we attach such importance to statistics when they tell us so little about what is to come? A single set of data can lead you down two very different paths. More maddeningly still, when faced with a Black Swan we often grossly underestimate or overestimate its significance. Take technology. The founder of IBM predicted that the world would need no more than a handful of computers, and nobody saw that the laser would be used to mend retinas.

— The perils of prediction, From The Economist print edition, May 31st 2007

If a casino sees a black swan (a really big winner), it's likely to escort that person off the premises permanently, and maybe have a few words with whichever card dealer or one-armed-bandit programmer let that happen. If ordinary people hear somebody saying a really destructive event is likely to happen, they're likely to call him a mad dog, no matter how good his data.

Yet black swans happen. While by their nature they're hard to predict precisely as to time or place, it's good risk management to admit they can happen and to have a plan for that eventuality.

-jsq

Salvage Logging

AP Photo/Don Ryan, FILE

While the federal government tries to dump the costs of wildfires onto local governments, a new study indicates that federal policies have been making things worse:

"It was the conventional wisdom that salvage logging and planting could reduce the risk of high-severity fires," said Jonathan R. Thompson, a doctoral candidate in forest science at Oregon State, who was lead author of the study appearing this week in Proceedings of the National Academy of Sciences. "Our data suggest otherwise."

They suggested that the large stands of closely packed young trees created by replanting are a much more volatile source of fuel for decades to come than the large dead trees that are cut down and hauled away in salvage logging operations.

—Scientists find logging dead trees after wildfire and replanting makes next year's fire worse, by Jeff Barnard, AP, 11 June 2007

Salvage logging is removing dead trees after a fire. It turns out that doesn't reduce the risk of fire, and close-packed new-planted trees increase that risk.

Burned vs. Burned Up

Regarding the Georgia and Florida swamp and pine fires, one of the main questions is at what point does preservation offer greater economic gain than resource extraction. Looking at the big picture brings out two points:

ActionBioscience.org: The figure "$33 trillion" was once projected as the value of ecosystems globally. What do you think of this type of economic analysis?

Polasky: The $33-trillion figure refers to one of the earliest studies that was done on the value of ecosystem services. The lead author was Robert Costanza. He and his coauthors tried to get at the notion of how we can establish on a global basis what the value of ecosystem services is. They came up with a number 33 trillion [USD] plus or minus a few trillion. There are a number of problems with the study. The most basic one is the question of what you are talking about when you consider all the ecosystem services of Earth. The entire system is our life support system. So what is our life support system worth? You don’t really have to have a scientific study in order to answer that question. The real value of the study was not the $33-trillion figure, which who knows what that means, but that it spurred people to focus on these issues.

Such values can be big, and the dollar value isn't the only consideration. There is a bit of risk in that we can't do without the biosphere, and some risk management is in order. Even beyond that obvious non-dollar value, there are further questions of species diversity and esthetics. Do we really want to kill off an ecosystem when we don't really know what it's doing for us, and do we all want to live surrounded by concrete?

Your Risk Swamp

Chandler commented on Wildfire Precedents about how some timber companies had mismanaged underbrush cleanup. That's probably true in some places, but the details of the forestry and fire problems in the west and in the southeast are different. Fire is the usual method to clear underbrush in southeastern pine forests, But not the kind of fires we're seeing this year.

WIldfire Precedents

I'm having a little difficulty finding historical statistics on wildfires. Here's someone's understanding:

My understanding is that the size of this fire is almost unprecedented with the exception being a fire in 1955 that consumed 58,000 acres.

The wind changed today. I can smell the smoke of my neighbor’s land again. The ash is falling again, too. Bitter snows.

— The Waycross Wildfire 2, jimmorrow, April 23, 2007

When he wrote that towards the end of April, 55,000 acres had been burnt near Waycross, Georgia.

Let a Million Data Flowers Bloom

Speaking of disseminating information to interested groups via the Internet:

The publicly funded data is down here, and we'd like flowers to grow up on the net.

Myths about the Developing World Hans Rosling, TED Talks, 2007

Back in the 1960s there was the rich world with low birthrate and long life expectancy and the poor world with high birthrate and low life expectancy. Nowadays there's much overlap and many countries that were formerly in the poor camp are almost indistinguishable from the rich camp. Seeing China climb up one way and then the other over time sinks this concept in more effectively than reading about it.