The title is a quote from Mike Tyson, his own latter rendition of- battle plans don't survive first contact with the enemy. Programmer's egos get bound up in their code, after all its their creation, they thought it through and the built it. A modeler's ego gets caught up in the model the create. Rick Bookstaber talks about the harm that comes from the false precision or physic envy:
"In the Bruce Lee movie, Enter the Dragon, Lee faces his arch enemy in a fight. To intimidate Lee, his opponent holds up a board, and splits it in two with his fist. Lee watches passively and says, “Boards don’t hit back”. That gets to the reason physics does not work in finance: markets do hit back.
The markets are not physical systems guided by timeless and universal laws. They are systems based on creating an informational advantage, on gaming, on action and strategic reaction, in a space without well structured rules or defined possibilities. There is feedback to undo whatever is put in place, to neutralize whatever information comes in.The natural reply of the physicist to this observation is, “Not to worry. I will build a physics-based model that includes feedback. I do that all the time”. The problem is that the feedback in the markets is designed specifically not to fit into a model, to be obscure, stealthy, coming from a direction where no one is looking. That is, the Knightian uncertainty is endogenous. You can’t build in a feedback or reactive model, because you don’t know what to model. And if you do know – by the time you know – the odds are the market has changed. That is the whole point of what makes a trader successful – he can see things in ways most others do not, anticipate in ways others cannot, and then change his behavior when he starts to see others catching on.
For example, I have seen this issue repeatedly in risk management, and it is one reason any risk management model will not cover all the risks. Once the risk model is specified, the traders will try to find a way around it. Are you measuring DV01 risk? Well, fine, then I will do DV01-neutral yield curve trades. Now are you measuring yield curve risk? Fine, then I will do DV01 and yield curve neutral butterfly trades. One of the problems with VaR – and for that matter with any complex model – is that it opens up all the more dimensions for such gaming, and for gaming in a way that is harder to detect. Maybe this can be put into a model, but if it can, it won’t look like how things are modeled in physics."
Of course we have this problem in spades in infosec. In Identity and Access Management systems, we attempt to partition the system into states that comply with policies and states that do not. This solution is effective in granting privileges and capabilities to be used for authorization, but it does not handle the activities that occur outside of the coverage of the IAM system.
In the Security Triangle I draw the distinction between access control, identity and access management systems - the plan if you will; and Defensive services. Defensive services are monitoring, logging, defensive coding, input validation, encoding and many other approaches to dealing with the unknowns. My RSA presentation last year discussed this - Dealing with the Wildness that Lies in Wait
The point of the separation is that while IAM is important, it will only take you so far.
What is the Enablement part on the top of the triangle? That is getting IAM and Defensive services to work in the real world deployment. In other words; integration.
Comments