There is an interesting paper written by Dan Geer appearing on the ACM Queue website titled, “The Evolution of Security” concerning the management of IS&T security risks. In 2003, you may remember, Geer published a controversial paper about the potential security problems of computing monocultures and Microsoft in particular as an example, which got Geer fired from his job at @stake.
Geer makes a number of good points in his paper but the one I especially liked was his spelling out the clear differences between cost benefit and cost effectiveness, to wit:
“…. where cost-benefit asks whether you would rather have the money or the benefit, cost effectiveness assumes that you will, indeed, spend the money and thus your interest is in how much benefit you can get for your money, not whether you would rather keep your money in the first place. This means asking questions such as, ‘Would you save more lives by spending the $10 billion on safer cars or on law enforcement?’ ‘Would you get better availability by spending the $1 million on 10 percent uptime or on instant recovery?’ ‘Would your own pursuit of happiness lead you to spend $100 on one fine dinner or on 20 lunches?’
CE is always tractable; CB is tractable only when the conversions of benefits to dollars are stable and noncontentious. To be blunt, CE is worth doing and CB is not. CE is decision support; CB is self-congratulation. If we are doing risk management rather than contemplating our navel or pandering to the electorate, then we must make decisions about allocating scarcity. We must remember that the purpose of risk management is to improve the future, not to explain the past.” Geer attributes this last sentence to Daniel Borge in his book, The Book of Risk.
Geer’s article is a good reprise of some of the fundamental issues of investing in risk management, and should be read. Once you have read it, you may want to look at yesterday’s column by Cindy Skrzycki in the Washington Post titled, “Does Cost-Benefit Matter?” Her column is on a recent report by AEI-Brookings Joint Center for Regulatory Studies on the use of cost benefit by the US government to determine whether governmental regulations should or should not be put into place. As she notes, “The practice of estimating the costs and benefits of U.S. government regulations is ‘frequently done poorly,’ with scant evidence that it makes a difference on policymaking.” You can download the AEI-Brookings report which is titled, Has Economic Analysis Improved Regulatory Decisions?, here. This report, together with Geer’s article, give a good sense of why cost benefit is difficult to do, and may not be the best measure for managing risk.
