See, they ain't that scientific either

I'm no big fan of overly complex approaches to risk management, and recent economic events have made me even less so.

There was a great article in the Economist about a conference for the American Securitization Forum - the wonderful people that brought us all these complex debt products that are giving banks no end of bellyache. Ironically the conference was held in Las Vegas, and a wonderful quote came from hedge fund manager John Devaney, who said "I'd like to thank the market for dealing me a direct hit. As a trader if you don't get sucker-punched every once in a while, you don't understand what risk is."

Also, there were a few good articles last week about how money managers had retreated from the market because they'd lost faith in the ability to model risk effectively.

If only it were so easy for information risk professionals, who often protect far more than just money - we protect innovation, national security, and even human life in some cases. It's not quite so easy for us to take a direct hit.

Financial markets have taken centuries to evolve, yet look at what can happen with their well established risk models. Information risk modeling is still only nascent, and changing at blistering pace. Yes, we need a more structured approach to information risk management - defining and comparing the different risks we face - but technology and business are evolving so fast that we need to temper our expectations about how scientific this can ever become.

The best quote I heard on this topic was from Hugh Voight of Solutionary, who says that "To get from New York to San Francisco, you don't need Google Maps until you get close to the Bay Area. At first, you just need to go West."

We still just need to "Go West" when it comes to modeling information risk. Bring on the Village People!


re: See, they ain't that scientific either

You realize that this article is one big bias statement, right? That there are plenty of investors (notably, the ones Alan Greenspan went to work for after leaving the fed) whose models *did* work just fine.Second, I'm not sure you really understand the concept of "scientific". It wouldn't seem that you are making a statement that science (which is simply the implementation of scientific method towards understanding a body of study) is flawed (because the evidence you're giving seems to back up the opposite). It looks like you are trying to really making a statement about quality of data.Two different concepts there, and if the latter is really what you're going for - then I would suggest that we need to get *more* scientific as the rate of change accelerates, rather than shamanistic (as you seem to suggest - "just do something without reason").Finally, if you "just go west" from New York, you end up in Oregon.

re: See, they ain't that scientific either

Thanks for the commentAgree with the point regarding the term "scientific" and the distinction with data qualityHowever, the financial systems approach to risk is held up as an example we should all aspire to. But too many times I've this aspiration to a complex financial-like empirical system lead security people to overreach, and then concentrate on the data they *can* get hold of, rather than the days they *should* get hold of - which is often more consensus and anecdote based than empirical.They then make data led decisions they wouldn't make otherwise.We just need to a) set expectations appropriately and b) take the data for what it is.Besides, for most orgs I speak to aiming for a security equivalent of San Francisco, Oregon wouldn't be that far off the mark

re: See, they ain't that scientific either

You assume that most Security departments can even define risk :)Note that if folks are focusing on metrics they can get ahold of rather than the ones they should get ahold of, then that is a fundamental failing of model & purpose (and then the technology as implemented without model or good purpose), not the concepts of Risk Management or Scientific Method.