From Risk to Uncertainty

I don't agree with everything in this piece by Thomas Homer-Dixon that appeared last week in the Toronto Globe and Mail, but this quote is an absolute gem (emphasis added):

Our global financial system has become so staggeringly complex and opaque that we’ve moved from a world of risk to a world of uncertainty. In a world of risk, we can judge dangers and opportunities by using the best evidence at hand to estimate the probability of a particular outcome. But in a world of uncertainty, we can’t estimate probabilities, because we don’t have any clear basis for making such a judgment. In fact, we might not even know what the possible outcomes are. Surprises keep coming out of the blue, because we’re fundamentally ignorant of our own ignorance. We’re surrounded by unknown unknowns.

It's something I've said for a long time:

It's tempting to think that all things are predictable given enough information, enough minds, enough time and enough computing power. It's just not true. (Which is not to say that some things are not predictable... and with incredible precision... a phenomenon that leads to overestimating the scope of problems and questions that lend themselves to such methods.)

Telling which is which is the trick...

I would go even further to say that really smart people who, by life experience know that some things are fundamentally unpredictable still draw an unvoiced sense of emotional comfort in their business life from the idea that some wise expert somewhere has been to the future (for all intents and purposes) and if we could just find him or her things would be OK... and/or that a really sophisticated computer model or prediction market (the 'collective mind') can provide crystal ball-level insights.

Sometimes yes. Often, no.

I liken Mr. Homer-Dixon's observations to those tragically massive car pile-ups that happen a few times of year in fog-prone areas like the Central Valley of California. Everyone is driving along at a reasonable speed, with reasonable spacing between vehicles. People are sipping coffee, tuning radios, maybe talking on cell phones. Slightly distracted, but mostly responsible. All is normal.

Then the first guy hits a fog bank and can't see squat. He taps his brakes. The second guy sees red lights and fog coming up fast and taps his brakes just a little bit harder, and so on. In just a few seconds, hundreds of cars end up in a tangled heap and people die. All because the guy in front was convinced by every one of his senses and not without justification based on experience that the visibility on the next 100 yards of road would be the same as on the last 100 yards of road.

Scenarios as Vehicles for Fear-Mongering

When we develop scenarios with clients, we emphatically avoid the kind Frank Furedi (rightly) decries here [emphasis added]:

From global warming to obesity, bird flu to terrorism: 2007 was the year when the threat of an apocalypse became an everyday, even banal public issue... The fear market in apocalyptic scenarios continued to flourish in 2007. Almost every week we were told that ‘the situation’ is far worse than we originally thought... Public figures appear to have lost the capacity to reassure or lead people. Instead, they frequently opt for evoking frightening futuristic scenarios where the line between fiction and reality become unclear.

One consequence of Western societies’ obsessive preoccupation with the apocalypse-to-come is that less and less creative energy is devoted to confronting the all too important problems that exist in the here and now. Take the global credit crunch unleashed by the sub-prime home loan crisis this year for instance.

In terms of its material impact, this was arguably the most significant event of the year. After more than a decade of economic stability, the world economy faces the threat of a major recession with important implications for people’s lives. This threat may not make an exciting plot for a sci-fi movie, but it has a direct bearing on the quality of life of millions of people. It also raises important questions about an economic system that is so heavily reliant on using fictitious capital to reproduce itself.

Events over the past 12 months suggest that what we think and how we think influences how we experience our reality.

Some rules and questions we use to avoid these traps and test whether scenarios are useful include:

Are scenarios sufficiently orthogonal to and distinct from one another? Does each embody both 'good' and 'bad' elements? Real world developments are seldom all good or all bad at the same time and from the same perspective. If participants in a scenario workshop find it trivial to line up the scenarios in the same way from "good/easy for us" to "bad/frightening for us", we haven't done our job of representing real-world nuance in hypothetical future stories.

Do scenarios incorporate "here and now" events and choices? (We usually embody these in what we call 'events', a component of modular scenarios). Scenarios entirely about some far-off, visionary 'place' with no explicit ties to current issues are seldom useful beyond the fiction stacks.

Are scenarios directly comparable to current conventional wisdom? (I.e., as Furedi puts it, "how we think... [and] experience our [present] reality"). Without a concrete "you are here dot" scenario that represents what constituents are thinking and assuming, it's impossible to describe how "far away" hypothetical future scenarios really are, or what change they imply. If I'm contemplating a trip to Miami, it helps to know (in terms of budgeting, preparation and mode of transport whether I'm currently in Juneau, Ft. Lauderdale or Tiera del Fuego.

What Can and Cannot Be Predicted (and Thoughts On Telling the Difference)

I just ran across this post ("Debating the Viability of Terrorism-Prediction Markets") over at the 'Footnoted' blog at the Chronicle of Higher Education discussing the risks of terrorism how best to assess them and whether they can be known at all. (If you've grown weary hearing about war, politics and terrorism, just skip to my non-terrorist business conclusions in the last paragraph.

In a recent interview [PDF] with the Federal Reserve Bank of Richmond, W. Kip Viscusi is asked about the public-policy response to the threat of terrorism and whether we are weighing the costs and benefits in a generally rational way. "The reason this is tricky is we don’t have very good numbers on what these risks are," Viscusi says. "The estimates of the probability of a terrorist attack or the number of people who are going to die in the coming year are all over the map. So if you can’t assess the likelihood of a terrorist attack or how deadly it is going to be, it is really hard to say how much you should spend to try to prevent it." [emphasis added]

Vscusi is characterized later in the article (and not without reason) as "one of the foremost academic experts on risk". His comment is in response to a persistent school of thought that claims, as Bruce Schneier does, that from an actuarial perspective, "terrorism doesn't happen".

Without the qualifier, the idea sounds terribly cold. With all reverence for the families of those who have lost loved ones in terrorist incidents however, it's not. Businesses and governments--not to mention non-profit institutions, individuals and families--all need to assess risks as rationally as possible and take measures to hedge them. Like it or not, the value of a human life can be defined--at least partially--in dollar terms. Anyone who's ever taken a course in economics or statistics (or balanced a checkbook for that matter) has figured out that infinite spending to protect against risk is infinitely foolish and that infinite spending on risk 'A' (and no spending at all on risks 'B', 'C', and 'D') is only a variant on the same wrong-headed assumption.

That's not what's really at issue. What is at issue is the degree to which the political leanings of some lead them to believe that we can know how much to spend combating terrorism and that the 'right' number is obviously much less than we are spending today (e.g., tactical domestic measures, overhead for business, strategic overseas measures, etc.) To which my response is: really? Show me your pre-9-11 white paper predicting the order-of-magnitude sea-change that occurred in that 'industry' on 9-11.

Bryan Caplan is one of Viscussi's critics. The CHE post notes:

"I am frankly puzzled," Caplan writes at EconLog. Citing the work of John Mueller,we have a long experience with terrorism, which has "shown it to be an extremely small problem in the broad scheme of things. How much longer does Viscusi want to wait before he'll conclude that the risk is very low?"

Unfortunately, long experience in and of itself is not sufficient for prediction, even at a macro level. Hold that thought for a quick diversion.

Here's where it gets weird. In criticizing Viscussi, Caplan, an econ prof at famously free-market GMU, ends up in league with Schneier, who as far as I can tell, tends towards the opposite end of the political spectrum. Both conclude, for entirely different reasons, that the future threat of terrorism can be known and condensed to a dollar figure and that rational budgets (both public and private) can be set accordingly. Oh that it were so.

Caplan, in particular "favors the establishment of a prediction market to help assess the likelihood of a terrorist attack". That's something I can conditionally applaud. If the results are used to "help assess", then we're fine. The possibility that a prediction market might help draw in and roll up marginal, highly distributed, even intuitive information that can supplement traditional (and sadly inadequate) intelligence-gathering mechanisms is certainly a good thing.  I've been a huge fan of prediction markets for years. They should be used for more things than they are today. To my delight, more and more are catching on.

But...

...as longtime readers know, I've also concluded that there are some (and arguably many) problems for which prediction markets are not only silly but grossly misleading. I don't have the space to review them all of them here. Thinking that they can precisely predict and quantify particular terrorist threats or even the threat of terrorism generally is a notion that falls into that category. Almost by definition, a successful terrorist venture is compartmentalized, secret and surprising.

In short, Caplan, Schneier and others appear to have an ideologically-induced blind spot that leads them to declare certainty where it does not exist. Let me explain.

Schneier and Caplan draw their essential argument from a backward-looking, actuary-style catalog of terrorist incidents. This many people died. This much property was lost. Productivity was reduced by this much for this long. Etc. Etc. It all sounds very rational. If we had reason to believe that terrorism were a natural, forecastable, perhaps even cyclical phenomenon, that approach would be absolutely correct. We don't.

The main problem, as I've noted before, is that:

The  unpredictability of terrorism renders any backwards-looking, purely quantitative, actuarial mode of analysis inappropriate and ineffective. That is, future deaths due to terrorism are something that neither Schneier nor anyone else can possibly predict with any degree of confidence.

Until 2001, the biggest single terrorist incident had caused around 300 deaths. Then in the space of a few hours, that number went up by an order of magnitude. There was no consensus (or even a significant plurality) of expert opinion predicting that that would happen - much less when, where and how. [emphasis in original]

And that's the problem.

Sudden, step-function, order-of-magnitude change, precipitated by a small group that has every reason to keep its plans secret is inherently unpredictable. It can only be imagined. If that sounds familiar outside of the terrorist context, it should. Businesses face this kind of challenge all the time; it is the very nature of business, in fact: snowboards vs. skis; digital photography vs. wet-process; PCs vs. mainframes; VoIP vs. legacy telephony; biotech vs. big pharma. The list is very long. It's harder to name an industry that hasn't been touched by this kind of change at some point (often precipitating the re-invention and re-definition of the former "industry") than it is to come up with a long list of examples of industries that have be altered in this way. Bottom line: it's important to differentiate between problems that lend themselves to forecasting and those that can only be dealt with via imaginative scenarios.

Pandemic Preparation

Former Health and Human Services Secretary Tommy Thompson (who consults on pandemic planning) makes a coldly harsh but thoroughly rational statement about bird flu in the January/February, 2007 issue of Corporate Board Member Magazine (quick, free registration required):

“I keep telling them this planning is good for the company. If we have a pandemic we’ll build market share, because our competitors aren’t doing the planning.”

What kind of market share, you may ask? Earlier in the article, another consultant provides examples of opportunity in the midst of hypothetical chaos after avian flu has hit:

A big hotel chain, figuring tourism would collapse, is studying how to rent its properties to governments as places to tend the sick. A hospital operator has contracted for refrigeration trucks [because] their in-house mortuaries are too small... A communications corporation has built a self-contained “clean facility” within its headquarters to house critical personnel and key operations.

Sounds like the kind of grim-but-true advice I'd expect to hear on Six Feet Under. Elsewhere in the article, Robert E. Mittelstaedt Jr., dean of Arizona State University’s W.P. Carey School of Business comments on scenario planning, noting (as I have before) that scenarios are often misused as a predictive tool and at a far too detailed level for business continuity planning (or much of anything else, for that matter):

...it’s difficult to engage in detailed scenario planning, because no one knows how, exactly, a pandemic would unfold—“but we want to make sure there’s a plan there, while not micromanaging it.”

Shortly after 9-11, a client showed us a massive spreadsheet of disaster possibilities, deeming them all 'scenarios'. They were not. Every conceivable thing was covered--from half a dozen megatonnages and locations for nuclear detonations to countless permutations of bridges and tunnels being taken out, anthrax being mailed, utilities and emergency services being cut and the simultaneity of all of the above.

Too much. Waaaaay too much. The 'scenarios' were also confined by definition to what the client could conceive of on its own, colored, it's now clear in hindsight, by the headlines of the day. We were brought in in part to help make sense of it all.

Another angle some now see, and for which real scenarios are well suited, is thinking through supply chain risk and contingency--something many have woken up to in the wake of the Taiwan earthquake (some of the resilience implications of which I blogged about last week: here, here and here). The article continues:

For manufacturers, supply-chain resilience is a chief concern. Some have been conducting due diligence on the readiness of suppliers, knowing that if critical components aren’t delivered it will render their own contingency plans useless. Others are establishing relationships with alternative suppliers, just in case... [though] some directors privately concede that little attention is being paid to the specific challenges posed by a pandemic. Having lived through Y2K, 9/11, and Hurricane Katrina, many outfits feel comfortable that their general risk-management and business-continuity plans will suffice during a pandemic. [emphasis added]

Key differences to note: 9-11 was local; Katrina was regional; Y2K was long-anticipated. Yes they all had global effects, but none were even in the same league as a 1918-style pandemic. In no case were people unable or unwilling on a wholesale basis to travel to work for more than a few days.

All of which leads me to the conclusion the esteemed Former Secretary has already reached: surviving bird flu as a business entity may require as much clever seizing of new opportunities as it does determination to keep the old business running. In some cases there is no rational continuity strategy, only one of strategic resilience (building the capability--structurally, culturally and otherwise) to flexibly adapt to radically changed and changing circumstances.

Fallacies of Telecom Network Resilience: Lessons From the Taiwan Earthquake

Picking up from my post on the same topic earlier this week, more is becoming clear about Internet and telecoms network failures to and within Asia as a result of Tuesday's major earthquake(s) in and around Taiwan.

• Boats are in place and the fix is already underway, contrary to earlier reports indicating that the cables wouldn't even be touched until after the turn of the new year.


• Laws designed to keep fishing vessels from dragging undersea cables carry fines pitifully out of proportion to the potential damage (roughly a million-to-one). It's not clear why, in a nation (China) not shy about capital-punishment, someone has not lost their head over previous cable cuts (e.g., April 6, 2004).


• The capacity of land-lines from Europe to Asia is tiny in comparison with those from the U.S. to Asia and the U.S. to Europe. This global asymmetry  raises a host of issues ranging from economic development to politics to outsourcing to culture.


• Satellites are expensive and have only limited capacity. The illusion that they offer backup to undersea cables is just that--little better than thinking that carrier pigeons will fill the gap.

With that and other emerging news, it's also becoming clear that lessons learned after 9-11 haven't 'stuck'.

Within the IT-savvy portion of the New York financial community at least (and, I would have imagined, well beyond it) a great deal was learned, publicly documented and put into practice to address the fragility of such networks. The cost was not small, however the there was unanimous agreement that the alternative was worse. The direct and indirect costs of closed markets (four days in the case of 9-11) were understood to be vastly larger--something that many in Asia are rediscovering to their collective chagrin.

The lessons of 9-11 (from a business resilience perspective anyway) are not particular to New York, to the U.S.,  or even to a cause. I'll rephrase and repeat that last bit, because without justification, thinking about business resilience is too often segmented by what went bump in the night rather than what happened as a result of it.

The business resilience lessons of 9-11 apply as well to natural as to man-made disasters; as well to widespread as to 'point' impacts; and as well to protracted as to short-duration events.

The lessons are immutable--essential principles for building and maintaining resilient networks and organizations. Two biggies are:

Understand layer one. Don't assume that a carrier's logical architecture (much less it's marketing architecture) showing a ring, double ring, or even mesh network has anything to do with physical reality. Both 9-11 and the Taiwan earthquake illustrate how economic pressures and crowd dynamics drive networks towards similar if not identical paths-of-least-resistance. (I suspect that carrier assurances in articles like this are not really about physical routes.) This is no more the fault of a particular company or person than is Interstate 80 through the California Sierras, the Golden Gate Bridge across the mouth of San Francisco Bay or the majority of the U.S. financial community on one tiny island (Manhattan). Those were simply the most logical  and least costly places to put those things. So it is under the ocean... 

Get a cross-carrier view. Don't assume that because you have signed up with three carriers that your data (or voice) traffic is moving via three distinct networks, much less three physically dispersed paths. Inter-carrier 'grooming' agreements can spring up without any legal requirement for end customers to be notified.  This is what happened on 9-11. In a similar vein, don't assume that the Internet itself is resilient because it was designed to withstand a nuclear attack. See point one: physical routes matter.

I'll address other laws of business resilience in subsequent posts.

Undiscovered Single Points of Failure: Taiwan Earthquakes and the Illusion of Resilience

Apparently much of Asia, including Australia, has been reduced to minimal Internet bandwidth following the 7.1 magnitude earthquake and powerful aftershocks in Taiwan earlier this week. One article said 40% capacity, noting the outage may persist for days or weeks.

It's a reminder that many networks (and many kinds of networks) that we depend upon we also take for granted. And many of those have single points of failure known to only an elite few. In some cases (e.g., because the cables belong to competing providers) failure points are not known by anyone until it's too late. This is particularly true in Asia, as I've noted before, even among the tech-savvy. My more recent optimism in this regard may have been misplaced.

Forbes characterizes the failure as, "the largest outage of telephone and Internet service in years... demonstrating the vulnerability of the global telecommunications network."

...Up to a dozen fiber-optic cables cross the ocean floor south of Taiwan, carrying traffic between China, Japan, Korea, Southeast Asia, the U.S. and the island itself. Chunghwa Telecom Co., Taiwan's largest phone company, said the quake damaged several of them, and repairs could take two to three weeks. Taiwan lost almost all of its telephone capacity to Japan and mainland China... Later, Chunghwa said connections to the U.S., China and Canada were mostly restored, but 70 percent of the capacity to Japan was still down, along with 90 percent of the capacity to Southeast Asia.

ZDNet says that "two of seven" cables were disrupted, enough to cause service-disrupting congestion on the remaining lines. Based on experience, I find the higher figure Forbes cites more likely, though it's possible that distinctions in terminology account for the difference.

The International Herald Tribune (among others) cites the oft-repeated idea that the Internet is by its very nature resilient:

Technicians in Singapore said that the Internet's built-in protocol was automatically rerouting traffic over alternative routes, either overland through China, west through the Middle East to Europe or even south to Australia.

All true... to a point... the problem being one of layer confusion: if the physical cables don't exist, nothing can be re-routed over them--automatically, manually or otherwise. (Wireless, much less satellite links, do not provide the kind of trunk capacity we're talking about over long distances.)

As this map shows that the IHT's wishful thinking about "overland through China" and "west through the Middle East" are really just ways of expressing grim humor while waiting for the broken undersea cables to be repaired. Last I checked, there were some really big mountains and corrupt Islamic, authoritarian and 'former' communist governments in the way. This map, showing China and vicinity makes this clear. This one shows only Alcatel submarine routes but nonetheless shows what's true of most other providers: most roads go near or through Taiwan. This one by China Telecom confirms the tiny capacity running west over land.

Could this recognition of a geographic reality (i.e., Taiwan as cross-roads on which the mainland is dependent) cause the Chinese to see with greater acuity their dependence on Taiwan... and act on it in new ways?

UPDATE: The W$J this morning confirms the criticality of the sea space around Taiwan:

While the clusters of glass fibers are enclosed in protective material, they remain vulnerable to undersea earthquakes, fishing trawlers and ship anchors. There are also many choke points around the globe, including the vicinity of Tuesday's earthquake, where a number of key cables converge... "It's unprecedented that all seven cable systems suffered damage at the same time," said Au Man-ho, director-general of the [Hong Kong] Office of the Telecommunications Authority.. [emphasis added]

Unprecedented stuff happens all the time. This whole incident is architecturally and organizationally reminiscent of what happened to communications on 9-11, including its effects across a much wider region. I.e., a common single point of failure among several trunk networks previously imagined to have been geographically distributed was discovered only in crisis.

Then there's this, also in the W$J:

...four repair ships with crews will arrive in the affected area on Jan. 2 to begin repair work on four of the damaged lines.

That's five days from now. The location is less than 100 miles off the coast. I can only surmise that the reason for the delays is one that both plagues and enables business resilience efforts (but which is seldom taken into account), namely: people. Mustering a crew to do the repairs (or perhaps mustering the factories to produce the materials needed to do the repairs) is no easy task over the Christmas/New Year's break. When things break, it's seldom at the most opportune time.

Scenarios for H5N1; Scenarios for Resilience

This month's issue of Strategy and Business features an article on Avian Flu that begins with a fairly mild hypothetical future newspaper headline (a scenario 'event' in our lexicon):

Atlanta, November 24, 2008 — The U.S. Centers for Disease Control and Prevention today attributed two deaths in northern New Jersey and one in Philadelphia to a human-to-human transmissible strain of the avian influenza virus. Although reports of the disease among humans have been accelerating in Asia and Europe, these are the first deaths to occur in the United States. Health officials are calling for the closure of schools in the tri-state region and for citizens to limit all unnecessary travel until further notice... [italics in original]

The authors go on to make an important if somewhat exaggerated observation about resilience:

Pandemics are unique among large-scale disasters; they leave the supporting physical infrastructure of roads and buildings largely intact. Only the people who operate these lifeline infrastructures are affected.

Pandemics are not as unique as the authors would like to make them out (though at scale, we'll admit, they probably are). After the August 2003 New York City blackout, as well as in the immediate aftermath of 9-11, the availability of people for critical functions was compromised by the difficulty they encountered in moving around. In the case of the blackout that had to do with the subways not working and secondarily with the sudden capacity crunch for roads, bridges and even sidewalks as everyone wanted to get home all at once. On 9-11 the crunch came more as a result of security restrictions. 

Ultimately, the reason why people can't get where they need to go (to do their jobs and/or to recover from doing them) is less important in thinking about resilience than is the simple fact that they cannot move around efficiently - if at all.

That's something we've written about before in "Dependence on Fragile Networks".

Then there's this data-rich if still hypothetical statement:

The U.S. Department of Health and Human Services estimates that a pandemic comparable to the 1918 outbreak could cause 1.9 million deaths in the United States. In that projection, there would be 90 million people ill, 1.5 million hospitalized in intensive care, and 742,000 people needing mechanical ventilators to breathe. This situation would put a huge strain on public and private health systems; for example, there are now only 105,000 mechanical ventilators in the United States. In the U.S. alone, economic losses would range between $71 and $167 billion.

It's not clear if the 90 million ill number is all at once or over a period of months (we suspect it's the latter). Either way, that's a scenario that ought to get everyone thinking: What would I do? What would my organization do? What critical services do we take for granted today? (Telephone? Sewer? Water? Payment systems? Electricity? Gasoline? Fresh food? Roads? Police? Fire protection?) Are we really ready for a few months' collective foray into what could look, feel and smell a lot like the Middle Ages? Probably not. Let's hope we don't have to go there.

Then there's this note:

Organizational planners cannot prepare for a pandemic the same way they would prepare for other crises — identifying the most likely scenarios and anticipating ways to deal with them — but only in a more flexible way: building the capacity for continuous sensing and responding, and striving for the resilience that will be needed when disruptions or disasters occur.

That's true if one thinks of scenarios in their more traditional form: as rigidly scripted set-pieces, screened for their apparent likelihood as seen from the standpoint of today. Interactive, modular scenarios by contrast, are far more fluid affairs. They enable (even force) participants to role play, try on possibilities and rehearse together what might be seen as 'unlikely' but which in fact might be completely unpredictable. It is the process of rehearsing together more than the particulars of the scenarios themselves that give participants the awareness and shared frameworks to respond effectively when "the plan" must be thrown out the window.

Side note: The Tradesports contract on Bird Flu being confirmed in the U.S. on or before the end of 2006 is currently trading at 42. That's down from a brief high of 78 shortly after it floated in March. It's still frighteningly credible. That still leaves ample time for a human outbreak to begin in the U.S. - as imagined in the article - before the end of 2008.

Collecting Scenarios For The Next 9-11

Bruce Schneier is reporting in this month's Cryptogram on the preliminary results of his "Movie Plot Threat Contest". The frame involved a 9-11-like small group (20-30 people) with modest financial resources (~$500K). The goal:

...cause terror. Make the American people notice. Inflict lasting damage on the U.S. economy. Change the political landscape, or the culture. The more grandiose the goal, the better.

The huge assumption behind this public contest is that there is no such thing as an effective secret. I.e., that harnessing the collective creativity of Schneier's expert readers will not give terrorists ideas they could not have thought of just as fast on their own. It's an assumption common among IT security professionals and one with which we have taken issue before, e.g., here and here.

Thankfully some participants exercised caution.

I also got a bunch of e-mails from people with ideas they thought too terrifying to post publicly. Some of them wouldn't even tell them to me. 

Some (including this blogger) didn't even tell him they aren't going to tell him. There are things we've learned in our travels that while perhaps not strictly top secret would take significant time, resources and connections to discover and knit together - as they did for us. The holders of that knowledge (clients of ours) thought that factor important enough to 'scrub' their websites a few days after 9-11 and make us sign NDAs. And they aren't the only ones. Schneier's knows this well but makes a big leap of faith regardless:

...if there's one thing this contest demonstrates, it's that good terrorist ideas are a dime a dozen. Anyone can figure out how to cause terror. The hard part is execution.

Maybe. That would be encouraging news if it were true. Yet there is no proof of Schneier's assertion other than the peaceful passage of time - a perilous and nerve-wracking proof at best. Even with the leveling force of the Internet, the fact that something is common knowledge to one group of people does not mean that it is known to everyone instantly much less that its significance and context will be appreciated. The Internet is not a universal Vulcan mind-meld.

The moral hazard Schneier discounts is that of speeding and reducing terrorists' costs of discovery of non-secret but still obscure information and creative ideas. Were that not true, nobody would be investing money in tools and other businesses (e.g., prediction markets)  to harness the collective creative power of the Internet, nor would anyone bother with funding R&D or protecting intellectual property. The good, creative ideas would just be... there.

Anyone know offhand the secret formula for making Coca Cola or Kentucky Fried Chicken batter or for the skin of a stealth aircraft? I didn't think so. I don't either. Those things are discoverable but not without substantial motivation, effort, money and risk.

In fact that was one of the rationales on which DARPA's Policy Analysis Market was shot down three years ago: that harnessing collective intelligence to figure out which terrorist attack modes were 'best' would help the terrorists to... figure out which attack modes they should pursue.  (More on that here.) In the meantime, as I blogged last March, there remains - despite Schneier's opinion to the contrary - the possibility of a sudden, order-of-magnitude jump in a single 'innovative' terrorist incident... as we saw on 9-11. Schneier continues:

Looking over the different terrorist plots, they seem to fall into several broad categories.

The first category consists of attacks against our infrastructure: the food supply, the water supply, the power infrastructure, the telephone system, etc. The idea is to cripple the country by targeting one of the basic systems that make it work.

The second category consists of big-ticket plots. Either they have very public targets -- blowing up the Super Bowl, the Oscars, etc. -- or they have high-tech components: nuclear waste, anthrax, chlorine gas, a full oil tanker, etc. And they are often complex and hard to pull off. This is the 9/11 idea: a single huge event that affects the entire nation.

The third category consists of low-tech attacks that go on and on. Several people imagined a version of the DC sniper scenario, but with multiple teams. The teams would slowly move around the country, perhaps each team starting up after the previous one was captured or killed. Other people suggested a variant of this with small bombs in random public locations around the country.

I disagree with Schneier on this one important point, but the rest of the piece (and the rest of his blog) are worth reading. One thing that Schneier's contest is unlikely to do - even if terrorists are monitoring it closely, as they probably are - is to fully understand what the terrorists would perceive as 'success'. I've wondered for some time for example, why relatively trivial attacks that could bring the U.S. economy to its knees within days were not perpetrated long ago.

The conclusion I keep coming back to is somewhat different from Schneier's.

Good ideas may be "a dime a dozen" (and yes, execution is often hard - a truism in any business) but when the currency is Yen or Dinar or Lira (metaphorically speaking, at the same exchange rate), a group will come up with a different dozen (or hundred, or thousand) ideas and prioritize them differently. Despite the Internet, culture of all kinds (local, national, corporate, educational, ethnic, gender-based, religious, etc.) as well as life experience and specific domain knowledge remain powerful forces shaping and constraining human imagination.

Our business (scenario planning for groups) revolves around this fact. The innovations that Client A thinks of as trivially obvious are often completely 'off the radar' of Client B and vice versa. Why? It's not that the other organization's ideas are even consciously considered and dismissed. More often a significant number are never thought of at all. If that were not true, we would not have a business and nobody would ever bother competing for creative talent.

As long as such barriers to perception exist (which will be as long as the human species exists), we should not so cavalierly assume that collective idea-generation and vetting is without value. After all, if that were true, then it would be of no value to Schneier and his reputation as a security consultant to sponsor such a contest in the first place.

American Idol - Lessons for Business

For those living in a cave (or without access to FOX), the reality contest show American Idol has been a runaway success. Last week it took the top slot in the Nielsen ratings (again) with a 19.2 rating and a 28.0 share, reaching just over 21 million households. That's big by any measure. While merely the most recent and visible in a long string of viewer-participation shows dating back decades, I sense that it's brought us to a new 'place' as a nation of consumers.

I cannot tolerate its interminable ad-maximizing tease without a DVR, but plenty are willing to endure that irritation. That says a lot. By raising expectations of participation, Idol has brought us one step closer to accepting if not demanding a 'vote' in how new products, services and artists are brought to market. It has also proved that involving potential customers in the vetting process can be hugely entertaining - a big business in its own right. Where once one had to pay customers to attend focus groups, it's now at least plausible to consider how their input can be garnered virtually without cost if not as its own profit center.

Idol has also shown how the traditional marketing process can be turned on its head: cement brand loyalties first, before risking far more money and time on a broad promotional campaign. Rather than financing the launch of manufactured talent (think Back Street Boys, Spice Girls, etc.), why not let loyalties emerge before the deal is ever signed and the CD master cut?

What's remarkable to a follower of crowd-wisdom methodologies is how close the format is to something truly sophisticated and widely applicable. It should not come as news to anyone reading this blog that Tradesports has for some time made a robust business out of contracts on how Idol will turn out. (As of this writing, Bucky is the runaway favorite to take the fall this week - so far ahead at 45 on a 1-100 scale that it causes me to wonder if insider information has leaked.)

It is this second derivative crowd that's fascinating: "which singers are most likely to fail to garner votes?" rather than "which singer(s) do I like?" Traditional market research and polling methodologies have typically asked: "How would you react?" ...to this product, this service, this price point, this set of features. The results can often fail to reflect reality.  People  don't always put their money where their mouth is. They don't vote. They express enthusiasm for a product that's subtly surpassed by a competitor once it reaches the market six months later. They (or the researchers) fail to take into account how the respondents may be unrepresentative of the market at large.

"How will all customers react?" is a very different question. On the one hand it is more complex in that it demands a gestalt sense of what many people will do, taking into account a vast array of possible extraneous factors that ordinary market research techniques assume away. Assuming ordinary weather. Assuming no war with Iran. Assuming no immediate competition. Assuming a sterile laboratory in which the choice is simple and binary. Those tricky questions have traditionally been internalized in the sense that it was up to the management team to figure them out (or more often, gloss them over.) And yet, on the right questions and with sufficient participation the more complex question of what other people will actually do (and what are the chances that they will do it) elicits information that can be incredibly rich and prescient.

What will everyone do taking into account everything that you know, sense, feel, intuit, hear on the grapevine and imagine could happen in any scenario? Moreover, what's your confidence in each the bottom line given all of those possibilities?

Those are the types of questions good executives ask and probe and probe again. It should be no surprise that we're finally starting to ask them of much wider audiences. Bottom line: what do you think will happen? Is it Bucky or Ace? The human desire to express an opinion  about what other people will do is a powerful force that marketers are only beginning to tap.

Terrorism, Creative Uncertainty and Rational Prediction

I recently finished "Beyond Fear" by security expert Bruce Schneier. In it, he features a chart showing the number of annual deaths from various causes (e.g., different cancers, automobile accidents, heart disease, stroke, suicide, etc.) Alongside it, he lists casualty figures resulting from specific terrorist incidents over the past century or so.

At the top of the terrorism list, of course is 9-11, accounting for 3,029 deaths. It's followed by several airplane bombings in the 1980's that each cost ~250-300 lives (e.g., Pan Am over Lockerbie, Scotland). Schneier correctly points out that in the context of preventable deaths from other causes, even counting 9-11, terrorism has simply not been that big a deal to date. [Stay with me before rushing to comment...]

The direct and indirect costs of countermeasures the U.S. and other Western countries have taken in response (Schneier argues) are far out of proportion to actual damage and death in the past or the risk of further damage and death in the future. The second part of that statement is utterly flawed.

The  unpredictability of terrorism renders any backwards-looking, purely quantitative, actuarial mode of analysis inappropriate and ineffective. That is, future deaths due to terrorism are something that neither Schneier nor anyone else can possibly predict with any degree of confidence.

Until 2001, the biggest single terrorist incident had caused around 300 deaths. Then in the space of a few hours, that number went up by an order of magnitude. There was no consensus (or even a significant plurality) of expert opinion predicting that that would happen - much less when, where and how.

Yes there were a few isolated voices and even a paper-trail that seem amazingly prescient in hindsight. They don't count. Somebody, somewhere is almost always predicting the future with great precision. Discovering in advance which of those billions upon billions of conflicting and poorly substantiated forecasts is correct is the hard part!

The rub? Nobody can say that the peak casualty figure from a single terrorist incident won't go up again by another order of magnitude (or two, or three) tomorrow morning... or in ten years... or not at all (begging the recursive question of our ability to prevent such a jump by investing prudently in a wide range of broadly geopolitical to highly targeted countermeasures.)

As of the 10th of September, 2001 any rational calculation of the risk and cost of terrorism based on historical data would use numbers in the low 100's for possible deaths and develop countermeasures that were commensurate. After 9-11, the same rational, backwards-looking calculations might use 1000's. Both would be subject to so much uncertainty as to be laughable - because they rely on the same flawed approach to assessing the magnitude of such a risk. (A similar if largely forgotten leap in awareness of the risk occurred in the early '70s)

Terrorism is fundamentally not a forecastable thing. That's especially true during a period of innovation and expansion in that sad, sick "industry". The fact that the peak death number changed so suddenly makes a conservative rational calculation based on past history just as tenuous as any radical emotional guess based on fear. Given that the trend is clearly up however, and that the last jump was by 10X, it is only prudent that we err to the side of assuming high and being wrong than assuming low and waving bye-bye to New York or Los Angeles.

The larger point? What's tough about predicting terrorism is also tough about predicting discontinuous change in business. Applying the same forecasting methodology to discontinuous possible 'left-field' problems as to well-understood, clearly bounded problems with deep actuarial data-sets is like trying to eat soup with a knife. A tool that's extremely precise and powerful for some jobs is utterly misguided for that one.

As we noted last month with regards to "creative uncertainty":

...what was the 'probability' circa 1970 that snowboards (and the as-yet nonexistent entrepreneurial providers who would invent them) would cut into the ski industry? ...Or the 'probability' circa 1980 that digital photography would into silver halide (wet process) film sales?

It is only with a broadly creative process (e.g., scenarios) closely wedded to a structured forecasting methodology (e.g., prediction markets, delphi, etc.) that more reasonable - if still subjective - assessments can be made. In the realm of creative uncertainty, it is the anticipation of entire classes of unconventional threats and opportunities and their rough magnitude, not detailed numerical forecasts that lend strategic power to organizations investing for the long term.