A major theme that Ross Anderson introduced is that Information Security is not just about policy (what the system's supposed to do), mechanism (delivering on the policies intent), and assurance (having some confidence that the mechanisms meet the policies goals). Its also about incentives. When incentives are mis-aligned, such as when the one who suffers the loss is not in a position to ensure safety against loss, then, well, you can expect bad things to happen regularly.
Of course, infosec is not alone in this regard and the great recession has provided many object lessons, perhaps none more than the one currently playing out between MGIC and Countrywide
Of course, Countrywide stood to benefit by generating loans, but in no way was forced to eat its own dog food or suffer downside risk based on the quality of the loans. MGIC's claim goes on to say that Countrywide relaxed its underwriting standards "to encourage Countrywide loan officers to systematically ignore risk in order to attract and retain business", which led to Counrtywide's loans defaulting three times the rate than other MGIC insured loans.MORTGAGE GUARANTY INSURANCE CORP., familiarly known as MGIC, which also has taken more than its share of lumps from the housing collapse, is wrestling with Countrywide over a bunch of the latter's bum mortgages it insured. At issue is whether those mortgages were mortally flawed from birth, something, alleges MGIC, that Countrywide had more than a little reason to be aware of.
In its complaint to the American Arbitration Association, MGIC makes no bones that it thinks Countrywide, eager to exploit the housing bubble, embarked on "a reckless strategy to attract new subprime and other high-risk business." And the insurer goes on to cite a clutch of cases to prove its point. We found the narrative lively reading (and we're grateful to Mark Hanson for bringing it to our attention).
There is, for example, the woman who bought a $600,000 house, claiming she worked as an account exec at a California investment firm, earned $13,494.03 (nice touch that three cents) a month, had a $45,000 bank account at Wells Fargo and, according to the insurance application, made a $30,000 down payment.
When MGIC nosed around, it discovered the investment firm she supposedly worked for didn't exist, neither did the bank account, she hadn't made a down payment and she actually earned $3,901.58 a month as a janitor at a medical facility.
In another instance, a $350,000 loan was extended by Countrywide to a fellow who wanted to buy a home valued at that amount and claimed he was a dairy foreman earning $10,5000 a month. Again, the snoops at MGIC discovered the guy was a milker at the dairy who earned $1,100 a month and signed the documents where he was told to -- even though he couldn't read English.
There's plenty more of the same in the complaint by MGIC charging that Countrywide agents were complicit in various and sundry deceptions. Frankly, we found it all something of a hoot, though it's not hard to see why MGIC isn't laughing. But even comic tales typically embody a moral, and this one is no exception. Fraud played no small role in the great demolition of housing, but the principal perpetrators were never diligently pursued and, for the most part, went crying all the way to the bank. Moral hazard, anyone?
Why didn't MGIC request a sample of Countrywide's applications during this process to provide assurance? :-) Heck, even the auditors do this for building access cards ;-)
Posted by: Jon | April 07, 2010 at 01:19 PM