Archive for September, 2009

“Is risk management too complicated and subtle for InfoSec?” — I think just mathematics is too complicated and subtle for some people

It’s interesting to see how knowledge of Bayesian methods exists in certain fields while ignorance of the details leads to weird conclusions concerning their usage. A good example of this phenomenon is this mangling of the two-envelope problem — supposedly a “paradox” that Bayesian decision analysis fails at — which is then used to argue that therefore Bayesian analysis of risks is actually useless and that instead

In the absence of reliable risk information, a similar approach to information security may be the best that we can do – just try different things and see which works the best. You might call this approach “experimental security.” There may be no better approach.

Yeah, just experimenting without any inferential tools makes sense… Funny how it allows the analyst to believe anything he wants without anything to back it up.

The takedown is painstakingly given here, but the only comment to it at the time of writing should make it clear just how entrenched the forces of “irrational pragmatism” are:

They Bayesian approach has many beautiful mathematical properties, but it fails to make contact with reality — it has no pragmatics. Worse, it fails to recognize that there is more than one person in the world. In the Bayesian world there is only one subjective probability, “mine”. The fact that you exist and have your own subjectivity that just might have something to do with our agreed-upon response to any particular problem is totally irrelevant. All the technical mathematical results in the world can’t get past these foundational problems.

Wouldn’t it be better to admit ignorance of the issues at hand and then give your opinions on that basis rather than just spout nonsense? There is clearly much education about Bayesian analysis to be done, starting with demolishing incorrect preconceptions that are already out there.

Comments (3)