20 October, 2006

Metric Geek

Yet another great post on Riskanalys on risk management.


A lot of people out there have been bashing the risk management model of data security. The essence of the attack generally comes down to "that didn't come from real data." In many cases that is true.

In just as many the fault lies with us looking at the wrong data or worse doing the right thing a the wrong time and just not being "lucky".


Moneyball is a great book that I would recommend for anyone.

I got three great peanuts out of it.

1. Make sure you are tracking the right metrics.
2. Even if the metrics correlate with the goals look for better ones for your objectives. (i.e. better batting average does make you a better player but on base percentage is a better indicator of whether you can generate scores)

3. Probability (luck) means that even if you are looking at the right things sometimes you won't see what is right. The trick is to find out why and what the real desired outcome is.

I suppose that I fall to a certain extent into the "metrics geek" camp on the security side.

In defense of the metrics people there is precedent. The insurance and financial industry's have identified that the equations really do work. You just have to be measuring the right stuff.

Nuclear physicist do the same things and the equations are remarkably similar.


Alex said...

Thanks for the nice comments.

It's great that you referenced Moneyball (I'm a BIG Cards fan, wanna-be sabermatician, and workd for BIS one season).

I actually was in a discussion once with a guy who was huge on "best practices" vs. risk management. He actually mentioned (he was from Europe) how sports teams do well from year to year following "best practices". I just had to suggest he read Moneyball...

My problem with the metrics "fad" is that some folks are advocating metrics without rigor applied to context. I sometimes wonder if they're just lazy or feel like they have to do something with the lousy stuff they can find.

Metrics are great, but as you said, make sure you are tracking the right ones!

PS - I would be interested in knowing what you know about F.I. metric gathering. I know a couple of really big ones, and maybe I suffer from small sample size but they're not really doing what I would call a bang-up job.

Jim C said...

Thanks Moneyball, Freakonomics, and Singularity is Near are some recent favorites of mine. Perhaps I should do a post on geek books. The way we are currently doing it Metric based Risk Management is certainly a "fad" (at least in many cases). Still there are emprical risk management approaches that are anything but. By FI were you talking about the Finnish Industry study?

Alex said...

LOL, sorry, I shouldn't have abbreviated. I meant Financial Institution. But if you've got a good Finnish study, I'm all for it!

You're not a


Primate, are you?

Jim C said...

Sorry I normally think in terms of Production, Manufacturing and SCADA systems. :) As a matter of fact I came to my current job to learn and engage more in Information Security for financial organizations.

On the Baseball side I'm a SOX and Astros fan. (Red Sox that is) Epstein is following in Billy Beane's path I think.