Architecting A Secure Society

Once again, we are confronted with the basic security question of how much is the right amount?

It’s a classic catch-22 that requires us to architect security to meet opposing ends: we expect security to be as much as necessary to stop the terrorists, but as little as possible to ensure efficient travel and trade and maintain people’s privacy and equality.

In the last decades, we have behaved schizophrenically, calling for more security every time there is an attempted attack, only to withdraw and demand greater privacy protections, speedier security processing, and only random checks when things cool down.

The Wall Street Journal reported in the January 9-10, 2010 edition that the U.S.’s handling of security nowadays is an ever-losing proposition. The article calls it a virtual game of “Terrorball,” in which we cannot win, because there only two perpetual rules:

· “The game lasts as long as there are terrorists who want to harm Americans; and

· If terrorists should manage to kill or injure or seriously frighten any of us, they win.”

Based on the above, I believe that we can only win the game by changing its rules. Rather than being reactive to every terror scare, we are prepared with one approach—one that delivers an optimal level of security based on the current level of risk.

I recall when Michael Chertoff was Secretary of Homeland Security. During that time, he was a strong advocate for a risk-based approach that was multilayered, strong yet flexible enough to accommodate changing circumstances. From that perspective, which I think made a lot of sense: security decisions are made on the basis of objective criteria. These include technical feasibility, maximum effect, cost-benefit analysis, and so on.

A risk-based approach, or what I call “optimal security,” clearly makes a lot of sense. Yet it is tempting, when a security situation actually occurs, to let emotions get the better of us. On the one extreme, sometimes hysteria takes place and everybody seems a potential threat. Other times, we get angry that anyone at all is subjected to scrutiny or questioning.

In order to save the most lives and change the terror game, we have to decide to become more rational about the threat that faces us. This doesn’t mean being cold and calculating, but rather rational and proactive in developing a security architecture and governance that seeks to protect the most with the least negative impacts—but not trying to plug every possible hole at all costs.

In optimal security: sure, there is the ideal where we want to protect every American from every possible threat. However, there is also the reality where, because of competing priorities and scarce resources (to address everything from the deficit, health care, education, social programs, energy, science, defense, and more) we cannot—no matter how much we genuinely want to—prevent every terror instance.

So the terror playbook can and should be transformed. We can recognize there will always be terrorists—enemies of the state—who want to harm us and given enough attempts, no matter how optimal our security, they will occasionally get a sucker punch in on us—and we must be prepared for this. Moreover, rather than “freaking out” about this the terror threat, we can grow and commit to doing the best we can and accepting that we will increase security when information is there to support that need, and we will relax when that becomes possible.

Bottom line: We must move away from hysteria and any other factor that prevents us from being objective and make rational choices to deploy protections that are most effective and simultaneously safeguard our liberty.

“Life, liberty and the pursuit of happiness” captures the security debate well. We want to safeguard lives, but at the same ensure liberty and we want to be happy and not afraid all the time.

To accomplish this balance, our optimal security realization should be based on highly effective intelligence, supported by the very best technology, and a security platform that adjusts to threats in real time.

While our intelligence continues to strengthen and our technology continues to improve, the greatest challenge is our ability as a nation and as individual human beings to cope with the distress caused by terrorism.

We are ambivalent emotionally about the threat and what needs to be done to combat it. However, once we look inside and understand the emotions that this issue raises, and come to terms with reality we face, we will as a nation be more at peace and less likely to jump from one extreme to another in terms of our demands and expectations from those who protect us every day.

Architecting A Secure Society

Why We Make Bad Decisions and Enterprise Architecture

With the largest Ponzi scheme in history ($50 billion!!) still unfolding, and savvy investors caught off guard, everyone is asking how can this happen—how can smart, experienced investors be so gullible and make such big mistakes with their savings?

To me the question is important from an enterprise architecture perspective, because EA is seeks to help organizations and people make better decisions and not get roped into decision-making by gut, intuition, politics, or subjective management whim. Are there lessons to be learned from this huge and embarrassing Ponzi scheme that can shed light on how people get suckered in and make the wrong decision?

The Wall Street Journal, 3-4 January, has a fascinating article called the “Anatomy of Gullibility,” written by one of the Madoff investors who lost 30% of their retirement savings in the fund.

Point #1—Poor decision-making is not limited to investing. “Financial scams are just one of the many forms of human gullibility—along with war (the Trojan Horse), politics (WMD in Iraq), relationships (sexual seduction), pathological science [people are tricked into false results]…and medical fads.”

Point #2—Foolish decisions are made despite information to the contrary (i.e. warning signs). “A foolish (or stupid) act is one in which someone goes ahead with a socially or physically risky behavior in spit of danger signs or unresolved questions.

Point #3—There are at least four contributors to making bad decisions.

• SITUATION—There has to be a event that requires a choice (i.e. a decision point). “Every gullible act occurs when an individual is presented with a social challenge that he has to solve.” In the enterprise, there are situations (economic, political, social, legal, personal…) that necessitate decision-making every day.
• COGNITION—Decision-making requires cognition, whether sound or unsound. “Gullibility can be considered a form of stupidity, so it is safe to assume deficiencies in knowledge and/or clear thinking are implicated.” In the organization and personally, we need lots of good useful and usable information to make sound decisions. In the organization, enterprise architecture is a critical framework, process, and repository for the strategic information to aid cognitive decision-making processes.
• PERSONALITY—People and their decisions are influenced positively or negatively by others (this includes the social affect…are you following the “in-crowd”.) “The key to survival in a world filled with fakers…or unintended misleaders…is to know when to be trusting and when not to be.” In an organization and in our personal lives, we need to surround ourselves with those who can be trusted to be provide sound advice and guidance and genuinely look after our interests.
• EMOTION—As humans, we are not purely rational beings, we are swayed by feelings (including fear, greed, compassion, love, hate, joy, anger…). “Emotion enters into virtually every gullible act.” While, we can never remove emotion, nor is it even desirable to do this, from the decision-making process, we do need to identify the emotional aspects and put them into perspective. For example, the enterprise may feel threatened and competitive in the marketplace and feel a need to make a big technological investment; however, those feelings should be tempered by an objective business case including cost-benefit analysis, analysis of alternatives, risk determination, and so forth.

Hopefully, by better understanding the components of decision-making and what makes us as humans gullible and prone to mistakes, we can better structure our decision-making processes to enable more objective, better vetted, far-sighted and sound decisions in the future.

Why We Make Bad Decisions and Enterprise Architecture