I usually try to stay far away from politics and current events, but my friend Rich has put up a blog post blaming the credit crisis on quantitative analysis, and then positing that because the economy sucks, Information Security should be only qualitative.
Now I’ve been “accused” of being a quant in the past (hi rybolov!) but in reality the only dogs I have in this fight are the model and the application of scientific method - and really, ethically speaking, I have to be tied to the latter while applying the former.
And I see a false dichotomy in this whole Quant vs. Qual thing. We, as a profession, tend to create a political divide between the two which, if it even exists, I’d say is based more on our ignorance rather than our expertise. After all, we are the profession that regularly multiplies across ordinal scales and uses wonderful models like R=VxTxI. As someone learning to deal in probabilities and rationalism, I have to recognize that this discussion is really just about the act of observation using different metrics of measurement.
But how we’re going about observing does not change the fact that there is measurement based on observation. So if I’m working with you I can easily turn your qualitative scale into a quantitative one, and vice-versa. Yes, Shrdlu, if we had the time, even your most seemingly Qual things could be Quant! (This flexible world view, btw, is an outcome of that new-fangled Bayesian thing).
COGNITIVE BIAS A-PLENTY
But back to what Rich is saying there about information security and risk - and he isn’t/won’t be the only one saying these sorts of things - we should try to understand what’s really going on rather than get caught up in the emotional hurricane. Our profession suffers several forms of cognitive bias. The nature of our jobs and what we do can cause us to be focused on the outcome and not the quality of the decision at the time it was made. We want to bring in things from other professions that are useful, but at times we do view things outside our profession with false correlation to our own (unfortunately for those who write these sorts of articles, financial risk is completely different than operational risk). We also have the tendency to focus on negative outcomes without acknowledging the positive outcomes (For example, I hear that Alan Greenspan’s new firm is up a couple of $billion in all this mess since he joined them, short sellers are doing quite well - must be because they have qualitative models or something -grin-). The effect of these biases are compounded by the facts that proper correlation takes more work than we usually give it, and rational thought is not that easy when there’s a witch-hunt mentality.
What also floats in water? (link to Youtube)
WHAT SHOULD WE BE THINKING ABOUT?
So as you and I read opinions that seem to be the polar opposite of irrational exuberance (and there will be plenty between now and the election) we’ll have to ask ourselves, “what really failed here?” At the risk (pun) of over-simplification:
- Was There an Error on the part of Probability Theory?
After all, Probability Science like all other fields of knowledge is always “advancing” as they say. So perhaps probability theory is wrong somehow?
I’m personally disinclined to put the blame here, primarily because I would think that there would be evidence from other fields (like Quantum Mechanics) that something is amiss waaaaay before it hit a field like economics.
- Was There Error In The Model Used to Determine Risk?
Some people who understand real estate valuation and complex derivatives and financial risk want to put the blame here. It’s a little too early to tell, but one thing is for sure - Financial risk is so different from operational risk I couldn’t begin to hazard an opinion on the subject. But it would seem that this is really somewhere we might look.
- Was There Error In The Scale Used (Quantitative vs. Qualitative)?
Honestly? I find it extremely difficult to understand how this could be the source of financial ruin.
- Was There Error on the part of the Decision Maker?
What if all of the above were just fine, and the decision maker chose short term gain over long term stability? What if this was (to simplify the matter greatly) a choice of “heads” over “tails” and the coin landed on tails? What if the model represented the right risk (probability of negative outcome vs. positive outcome), but the complex derivative was sold to someone else who had poor “risk management” (ability to make a good decisions)?
Now I have no clue about complex derivatives, and I’m oversimplifying to be sure - chances are like most things, there are several problems that helped create the primary cause. But it seems to me that as we go into incident response mode for the economy, it’s more helpful to do so in a rational, logical manner.
OTHER THINGS WE MIGHT WANT TO CONSIDER
Consider the Source
Some authors (who I think tend to exploit outcome and hindsight bias,and then combine those with indirect ad hominem attacks in order to sell their books), are actually putting forth arguments against the use of analytics. The source of this is a current epistemic debate between those who believe that only falsification is certain, and those who maintain that neither proof nor falsification are certain, there are only probabilities. So before you go believing any “quadrants” of usefulness on faith - I encourage you to understand what is at the heart of the discussion.
We All Have to Live In The Real World
The sun will rise tomorrow, and someone will try to find the source of the problem and do a better job. Now chances are, they’ll be doing it in a quantitative manner. Chances are also that at some point their models will fail and we’ll need to build new ones. And this will happen whether the field is cosmology, economics, meteorology, information security, or professional baseball.
WHAT ABOUT YOU, ALEX?
I’m far from certain and subject to change, but these days I lean towards Robin Hanson & MIchael Lewis w/regards to placing blame.
