Category Archives: Business

Common Sense Lacking for Big Perils such as Georgia Hurricane or WorstCase Worm

KClark.jpg Why it’s not good to depend on common sense for really big perils:
The models these companies created differed from peril to peril, but they all had one thing in common: they accepted that the past was an imperfect guide to the future. No hurricane has hit the coast of Georgia, for instance, since detailed records have been kept. And so if you relied solely on the past, you would predict that no hurricane ever will hit the Georgia coast. But that makes no sense: the coastline above, in South Carolina, and below, in Florida, has been ravaged by storms. You are dealing with a physical process, says Robert Muir-Wood, the chief scientist for R.M.S. There is no physical reason why Georgia has not been hit. Georgias just been lucky. To evaluate the threat to a Georgia beach house, you need to see through Georgias luck. To do this, the R.M.S. modeler creates a history that never happened: he uses what he knows about actual hurricanes, plus what he knows about the forces that create and fuel hurricanes, to invent a 100,000-year history of hurricanes. Real history serves as a guide it enables him to see, for instance, that the odds of big hurricanes making landfall north of Cape Hatteras are far below the odds of them striking south of Cape Hatteras. It allows him to assign different odds to different stretches of coastline without making the random distinctions that actual hurricanes have made in the last 100 years. Generate a few hundred thousand hurricanes, and you generate not only dozens of massive hurricanes that hit Georgia but also a few that hit, say, Rhode Island.

In Nature’s Casino, By Michael Lewis, New York Times, August 26, 2007

And of course a hurricane did hit the Georgia coast before detailed records were kept, in 1898. The article notes that before Hurricane Andrew, insurers believed that a Florida hurricane would cost max a few billion. The actual cost was more like $15.5 billion, predicted only by one woman: Karen Clark, founder of A.I.R.

Sure, the Georgia coast doesn’t have any single concentration of wealth like Miami. But it does have a swath of wealth that could be taken down by a single storm. And complacent owners who think it can’t ever happen, just like people in Thailand didn’t believe Smith Dharmasaroja before the 2004 Tsunami.

Meanwhile, on the Internet, the few insurers of Internet business continuity are winging it and most companies have no insurance at all, despite online crime becoming increasingly sophisticated, leveraging the global reach of the Internet, and the possibility of a global worm that could cause $100 billion damage still being out there.

-jsq .

Mounties Admit Making Up Online Piracy Costs

dudley_doright.jpg Hey, if you don’t have any research, why not just pick some number off the net? Police agencies do:
However bogger Michael Geist thought there was something fishy about the figure and asked for the sources behind the Royal Mounted Police’s $30 billion claim.

The letter came back from red-faced coppers confessing that they made up the figure based what they had read on the Internet.

The RCMP did not conduct any independent research on the scope or impact of counterfeiting in Canada, but rather merely searched a couple news stories.

anadian coppers admit making up piracy figures, $30 billion figure simply plucked from bottom, By Nick Farrell, The Inquirer, Wednesday 19 September 2007, 08:52

I like the punchline:
Soon they’ll try solving their cases by looking to see who did it on Wikipedia.
And will they change their motto to “we always make up our scam?”

-jsq

Outrage: Less and More

danrather0207.jpg We’ve been discussing Outrage Considered Useful. Alex remarked in a comment:

The term "Outrage" suggests that risk cannot or should not be discussed in a rational manner.

What I think Sandman is getting at is that often risk isn’t discussed in a rational manner, because managers’ (and security people’s) egos, fears, ambitions, etc. get in the way. In a perfect Platonic world perhaps things wouldn’t be that way, but in this one, people don’t operate by reason alone, even when  they think they are doing so.

Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.

Indeed, quantitative analysis is good. However, once you’ve got that analysis, you still have to sell it to management. And there’s the rub: that last part is going to require dealing with emotion.

Continue reading

Skype and Windows Update

skype_logo.png So, Windows update: Skype outage cause or smokescreen?

Apparently both:

The disruption was caused by a routine Windows patch update distributed Tuesday that required users to restart their computers. When a large number of Skype subscribers began logging back in around the same time, the requests – combined with the day’s traffic patterns – began overwhelming the system, revealing a bug in the software that normally helps the system allocate resources and “self heal.”

“Skype has now identified and already introduced a number of improvements to its software to ensure that our users will not be similarly affected in the unlikely possibility of this combination of events recurring,” Skype spokesman Villu Arak said.

Skype reveals outage source, tells customers it won’t happen again, Ryan Kim, San Francisco Chronicle Staff Writer, Tuesday, August 21, 2007

So we seem to have here a combination of hazards tripping each other.

This does raise the more general question of what other bugs are synchronized Windows updates exercising? And how long before such a Windows update installs a vulnerability that immediately gets exploited? And how long before such updates themselves do cause massive outages? In software monoculture, Windows may be its own boll weevil.

-jsq

Outrage Considered Useful

peter_sandman.jpg There’s a bit of comment discussion going on in Metricon Slides, and Viewed as PR about counting vs. selling, in which the major point of agreement seems to be that even at a metrics conference there weren’t a lot of metrics presented that were strategic and business-like.

Let’s assume for a moment that we have such metrics, and listen to Peter Sandman, whose website motto is Risk = Hazard + Outrage:

Sometimes, of course, senior management is as determined as you are to take safety seriously. And sometimes when it’s not, its reservations are sound: The risk is smaller than you’re claiming, or the evidence is weak, or the precautions are untested or too expensive. But what’s going on when a senior manager nixes your risk reduction recommendation even though you can prove that it’s cost-effective, a good business decision? Assume the boss isn’t too stupid to get it. If the evidence clearly supports the precautions you’re urging, and the boss isn’t dumb, why might the boss nonetheless have trouble assessing the evidence properly?

As a rule, when smart people act stupid, something emotional is usually getting in the way. I use the term “outrage” for the various emotion-laden factors that influence how we see risk. Whether or not a risk is actually dangerous, for example, we are all likely to react strongly if the risk is unfamiliar and unfair, and if the people behind it are untrustworthy and unresponsive. Factors like these, not the technical risk data, pretty much determine our response. Risk perception researchers can list the “outrage factors” that make people get upset about a risk even if it’s not very serious.

The Boss’s Outrage (Part I): Talking with Top Management about Safety by Peter M. Sandman, The Peter Sandman Risk Communication Web Site, 7 January 2007

He goes on to outline several reasons management might get upset.

Continue reading

Conglomerates’ End

Previously I’ve mentioned that the era of blockbusters is over. Maybe there’s a corollary:
Is the heyday of media and entertainment conglomerates behind us?

A panel of industry analysts and bankers discussed this and other deal making questions as part of a PricewaterhouseCoopers event here Tuesday, with several of them arguing that conglomeratization has no real benefits, especially in the digital age.

“Consolidation in the old media world destroys value,” said Laura Martin, founder and CEO of Media Metrics LLC. “They are buying stuff (and audiences) because they don’t know what else to do.”

Media conglomerates in the past, panel says By Georg Szalai, Hollywood Reporter, 27 June 2007

Soundsl like they’re scared of the long tail and are trying to buy it up to co-opt it. Hm, why does that remind me of telephone companies? Continue reading

Burned vs. Burned Up

prescribed burn Regarding the Georgia and Florida swamp and pine fires, one of the main questions is at what point does preservation offer greater economic gain than resource extraction. Looking at the big picture brings out two points:

ActionBioscience.org: The figure "$33 trillion" was once projected as the value of ecosystems globally. What do you think of this type of economic analysis?

Polasky: The $33-trillion figure refers to one of the earliest studies that was done on the value of ecosystem services. The lead author was Robert Costanza. He and his coauthors tried to get at the notion of how we can establish on a global basis what the value of ecosystem services is. They came up with a number 33 trillion [USD] plus or minus a few trillion. There are a number of problems with the study. The most basic one is the question of what you are talking about when you consider all the ecosystem services of Earth. The entire system is our life support system. So what is our life support system worth? You don’t really have to have a scientific study in order to answer that question. The real value of the study was not the $33-trillion figure, which who knows what that means, but that it spurred people to focus on these issues.

Such values can be big, and the dollar value isn’t the only consideration. There is a bit of risk in that we can’t do without the biosphere, and some risk management is in order. Even beyond that obvious non-dollar value, there are further questions of species diversity and esthetics. Do we really want to kill off an ecosystem when we don’t really know what it’s doing for us, and do we all want to live surrounded by concrete?

Continue reading

Your Risk Swamp

Bugaboo Wildfire Map Chandler commented on Wildfire Precedents about how some timber companies had mismanaged underbrush cleanup. That’s probably true in some places, but the details of the forestry and fire problems in the west and in the southeast are different. Fire is the usual method to clear underbrush in southeastern pine forests, But not the kind of fires we’re seeing this year.

Continue reading

IT Security: Unnatural Industry

Bruce Schneier says the obvious:
Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren’t IT products and services naturally secure, and what would it mean for the industry if they were?

Do We Really Need a Security Industry? Bruce Schneier, Schneier on Security, 3 May 2007

Obvious in an emperor’s new clothes sort of way. Continue reading

Do or Don’t

Well, you go away for the weekend, and Vista fans have a party on your blog….

While one of the commenters seems to mostly know people who like Vista, so far I haven’t found anybody I know who does; could be it’s who you know. Apparently Dell knows quite a few people who don’t want Vista, and the Houston Chronicle talked to some of them.

The people I talk to think Ubuntu Linux is just as good as Vista, and requires fewer resources. Sort of like this opinion: except for perhaps some Windows-specific applications, why not switch to Ubuntu? Dell is also moving to supply Ubuntu as a native operating system within weeks.

Continue reading