Comment by jiggawatts
3 years ago
Something related that I've noticed in government projects is that they will spend $100K on a tender process to eliminate a fraud risk of 5% that amounts to at most $10K if it does occur. So if you amortise the total "value" of the fraud, it's 10,000 x 0.05 = $500!
Spending $100K to avoid a loss of $500 is something most sane businesses will not do, but to government this makes perfect sense, because they have a rule that the acceptable amount of fraud is zero.
Hence, they'll spend nearly infinite resources to try to bring fraud down to closer and closer to zero.[1]
You see similar things with risk aversion. Some risk is inevitable, but again, government departments will cheerfully blow billions of dollars to avoid the slightest risk. Projects like ITER and the SLS are highly risk averse and their costs reflect that. Meanwhile smaller, newer, more risky projects will run circles around them.
[1] At least what is perceived to be zero. In actuality fraud remains rampant, but as long as it is technically legal, it is not subject to this rule.
> Spending $100K to avoid a loss of $500 is something most sane businesses will not do, but to government this makes perfect sense, because they have a rule that the acceptable amount of fraud is zero.
In short: no. That's the perception but is not correct, at least security risks.
So since you mentioned SLS (you mean CMS and healthcare.gov maybe? Hello from a friend of people who made those things) I assume you mean US government. Now I totally agree that is perceived. Few parts of risk management are mandated at least in terms of the infosec side of the fence with risk management beyond what is in law (FISMA and thus Risk Management Fraework made to address it as a req). The NIST RMF (SP 800-37 and SP 800-53) is very flexible and without even mentioning quantitative methods in those documents would inherently be at odds with your example; it is the opposite of risk management. But I do agree USG staff and contractors perpetuate this fallacy when provided the checklists of high-level recommendations and don't bother reading 800-37 at all, which explains the rationale strategy and approach that explain this example you give is bad and for good reason. They essentially document that not all systems get the same breadth and depth of security across govt in all agencies and projects equally for this reason. It doesn't scale or make sense.
Sorry for the rant. I have it once a week with friends in public and private sector and the perception is true and may happen but the docs and the people who wrote them (also friends) can tell you that is very much the opposite of what's recommended by NIST and those upstream guidelines are those derived from law.
I'm sure that's what ought to happen, but you're not considering the bureaucrat's point of view here. If fraud happens on their watch, and there was a process that could have prevented it, it's their ass on the line. And since it's not their money that they're spending, it's perfectly sensible to spend $100k (most of which will be hidden as time, not capital costs) to not just avoid the potential loss of $500, but to avoid the far more damaging possibility of being accused of negligence.
Let me more blunt: perhaps I am one of those bureaucrats. Your comment espouses views of government bureaucrats as indifferent to wasting "others" money and only accepting poorly executed projects. Most agencies are currently beholden to extensions under continual resolutions for day to day spending money and don't have stable budgets due to Congressional pressure (new year is month's away, but it has been this way frequently for years now). So, you have to fight to be allowed to spend any little bit of many that wasn't allocated as part of ongoing spend (but even I don't know how that works in detail, I am low level), for even small amounts to keep everything under $10,000. I have to ask and wait for ridiculously small stuff.
The prior comment (and my rebuttal) were that it must be intentional re measurement, re the risk of doing and not doing things and what the cost is (a.k.a. risk-managed programs in the parlance NIST helped standardize). No, it is not. As for what you are leaning into: perhaps quantitative measurement of risk is important, but perhaps raw costs are not the only factor? I agree, in some (I am not sure it is over 1/2 and I can say most, but I am not suggesting it is a really small fraction and completely disagreeing with you) or many cases, raw cost is a factor that seems to be ignored. How is that? But there are others where we (as civil servants) probably could try to explain implied costs (I have failed ironically to get people to consider a mathy approach to this a few times) around things you and I probably see as qualitative. But sometimes we in govt have to do things because elected officials in the govt make us do so through changed or new laws. Other times the perception of the very ineptitude and indifference to hard-to-quantify factors you cite is a risk unto itself (just harder to quantify) for the larger agenda and that drives the need to purse it anyway.
I recommend people read this article and cite it often when presenting about how to help government help itself. I started doing that as an outsider, and now it rings truer than ever to me on the inside.
https://peknet.com/2020/09/21/shame-software-government/