And that is why you fail… 

Mahi Dontamsetti sent the ISM3 mailing list an article from the IEEE magazine called “Impossible Tradeoffs” by Robert Lucky - a now retired vice president for applied research at Telcordia.  It starts off innocently enough:

I sometimes think that the essence of engineering is making intelligent tradeoffs between conflicting parameters. Improve one parameter and another one worsens. The art is in knowing where to make the best trade. As engineers, we are trained to quantify different tradeoffs, draw some kind of cost/benefit curve, and make a rational choice based on our analysis.

It’s perfectly fine for the next few paragraphs, until he starts talking about risk and (presumably) Internet connectivity.  Then it death spirals like a WWII fighter plane being shot down -  twisting in slow-motion entropic disintegration where critical pieces of the plane fly off the fuselage one by one,  on fire and pulling too many G’s for the pilot to bail out.  To wit, after he discusses that there could be  some graph that describes risk vs. benefit:

The sticking point is, how do we measure these values? I’m afraid that the answer is, we can’t. It isn’t just that it is difficult—I think that it is intrinsically impossible. I resist this conclusion as an engineer, but it is one that I cannot escape. Monetary cost is something that we are familiar with, but benefit is often not quantifiable. So, in the case of network connectivity, the benefit of connecting to all those other computers and people cannot be measured.

Assessing the expected cost of computer intrusions also seems impossible. In fact, the situation in this instance is doubly impossible, because of the other fundamental difficulty: the appearance of a small, but definitely nonzero, probability of practically infinite cost. In business environments, this means there is some chance that a computer attack could, say, irreparably damage the company, putting it out of business. On the military side, there’s an outside chance a computer attack could disable the entire defense system. Even though there might be tiny probabilities associated with these events, their harm seems infinite, and the cost/benefit analysis breaks down.

 Contrast that with the following, from wikipedia that discusses the difference between scientists and engineers:

 

In the book What Engineers Know and How They Know It, Walter Vincenti asserts that engineering research has a character different from that of scientific research. First, it often deals with areas in which the basic physics and/or chemistry are well understood, but the problems themselves are too complex to solve in an exact manner. Examples are the use of numerical approximations to the Navier-Stokes equations to describe aerodynamic flow over an aircraft, or the use of Miner’s rule to calculate fatigue damage. Second, engineering research employs many semi-empirical methods that are foreign to pure scientific research, one example being the method of parameter variation.^[13]

Interestingly enough, it seems to me that scientists do a better job with “semi-empirical methods” (here) than IT Risk “engineer types”.   That is why we fail.  We’re stuck in a place between theory (science) and practice (engineering) with regards to risk management - and we’re not doing a good job at either.

What really gets me, though, is when I see folks online and in mailing lists come up with all sorts of nonsense about how risk can’t be measured, or, even worse, that it’s too difficult and should be discarded in favor of their version of witchcraft.

Ladies and gentlemen, let me implore you - beg you not to stop trying.  Just because a couple of retirees write articles that essentially say, “I couldn’t quantify risk back in my day - so you might as well just give up” - doesn’t mean that they are correct.   It just means that they couldn’t accomplish that task to their satisfaction during their career.

I’d imagine that Galileo, William Gilbert, or event John Atanasoff heard the same claptrap from their peers and predecessors.

Posted on April 26